CVE-2024-21489
📋 TL;DR
CVE-2024-21489 is a prototype pollution vulnerability in uPlot's uplot.assign function that allows attackers to modify JavaScript object prototypes. This can lead to denial of service, remote code execution, or privilege escalation. Any application using vulnerable versions of uPlot is affected.
💻 Affected Systems
- uPlot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service, application crashes, or limited data manipulation depending on how uPlot is integrated.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially just application instability.
🎯 Exploit Status
Exploit requires attacker to control input to uplot.assign function. Public PoC available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.31
Vendor Advisory: https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983
Restart Required: No
Instructions:
1. Update uPlot package to version 1.6.31 or later. 2. For npm: 'npm update uplot'. 3. For yarn: 'yarn upgrade uplot'. 4. Verify package.json shows version >=1.6.31.
🔧 Temporary Workarounds
Input validation wrapper
allWrap uplot.assign calls with input validation to reject objects with prototype pollution keys
// Add this wrapper before using uplot.assign
function safeAssign(target, ...sources) {
for (const source of sources) {
if (source && typeof source === 'object') {
for (const key in source) {
if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
throw new Error('Prototype pollution attempt detected');
}
}
}
}
return uplot.assign(target, ...sources);
}
🧯 If You Can't Patch
- Disable or remove uPlot functionality that uses uplot.assign with untrusted input
- Implement strict Content Security Policy (CSP) to limit script execution capabilities
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/uplot/package.json for version <1.6.31Check Version:
npm list uplot | grep uplotVerify Fix Applied:
Verify package version is >=1.6.31 and test uplot.assign with prototype pollution payloads📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript errors, prototype modification attempts, unexpected object property changes
Network Indicators:
- HTTP requests containing '__proto__', 'constructor', or 'prototype' in payloads
SIEM Query:
source="web_logs" AND ("__proto__" OR "constructor" OR "prototype") AND "uplot"