CVE-2024-21529
📋 TL;DR
This CVE describes a prototype pollution vulnerability in the dset npm package that allows attackers to inject malicious properties into JavaScript objects via the __proto__ property. This affects any application using dset versions before 3.1.4, potentially leading to denial of service, remote code execution, or privilege escalation.
💻 Affected Systems
- dset npm package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment.
Likely Case
Denial of service, application crashes, or limited privilege escalation within the application context.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially only causing application instability.
🎯 Exploit Status
Proof of concept available in security advisories. Exploitation requires user-controlled input to the dset function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.4
Vendor Advisory: https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa
Restart Required: No
Instructions:
1. Update package.json to specify dset version 3.1.4 or higher. 2. Run 'npm update dset' or 'yarn upgrade dset'. 3. Test application functionality.
🔧 Temporary Workarounds
Input validation wrapper
allWrap dset calls with input validation to reject __proto__ and similar prototype pollution vectors.
// JavaScript code to validate input before passing to dset
function safeDset(obj, path, value) {
if (typeof path === 'string' && (path.includes('__proto__') || path.includes('constructor') || path.includes('prototype'))) {
throw new Error('Invalid path: prototype pollution attempt');
}
return dset(obj, path, value);
}
🧯 If You Can't Patch
- Implement strict input validation for all user-controlled data passed to dset function.
- Isolate the vulnerable component using sandboxing or containerization to limit potential damage.
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for dset version. If version is <3.1.4, the system is vulnerable.Check Version:
npm list dset | grep dsetVerify Fix Applied:
Verify dset version is 3.1.4 or higher using 'npm list dset' or check package.json.📡 Detection & Monitoring
Log Indicators:
- Unusual application crashes or errors related to object property assignment
- Suspicious input patterns containing __proto__ or similar strings in application logs
Network Indicators:
- Unusual outbound connections from the application following crashes
SIEM Query:
source="application.log" AND "__proto__" OR "prototype pollution"