CVE-2024-24294
📋 TL;DR
This CVE describes a Prototype Pollution vulnerability in Blackprint's @blackprint/engine v0.9.0 that allows attackers to execute arbitrary code through the _utils.setDeepProperty function. The vulnerability affects applications using this specific version of the Blackprint engine library. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Blackprint @blackprint/engine
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Arbitrary code execution in the context of the application, potentially leading to data theft, privilege escalation, or denial of service.
If Mitigated
Limited impact due to proper input validation, sandboxing, or network segmentation preventing exploitation.
🎯 Exploit Status
Prototype Pollution vulnerabilities are well-understood attack vectors with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.9.1 or later
Vendor Advisory: https://github.com/Blackprint/Blackprint/releases
Restart Required: Yes
Instructions:
1. Update @blackprint/engine to v0.9.1 or later using npm update @blackprint/engine. 2. Restart all applications using the library. 3. Verify the update by checking package.json and node_modules.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation for all user-controlled data passed to _utils.setDeepProperty function.
Object.freeze() on Prototype
allFreeze Object.prototype to prevent prototype pollution attacks.
Object.freeze(Object.prototype);
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution.
- Isolate the vulnerable application in a network segment with restricted outbound access.
🔍 How to Verify
Check if Vulnerable:
Check package.json for @blackprint/engine version 0.9.0 or examine node_modules/@blackprint/engine/package.json.Check Version:
npm list @blackprint/engineVerify Fix Applied:
Verify @blackprint/engine version is 0.9.1 or higher in package.json and node_modules.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript errors related to prototype modification
- Unexpected property assignments in object logs
Network Indicators:
- Unusual outbound connections from the application
- Suspicious payloads containing __proto__ or constructor properties
SIEM Query:
source="application_logs" AND ("prototype pollution" OR "__proto__" OR "constructor")