CVE-2024-29650
📋 TL;DR
CVE-2024-29650 is a prototype pollution vulnerability in @thi.ng/paths library that allows remote attackers to execute arbitrary code via the mutIn and mutInManyUnsafe components. This affects applications using vulnerable versions of this JavaScript library, potentially leading to complete system compromise.
💻 Affected Systems
- @thi.ng/paths
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Application compromise allowing data manipulation, privilege escalation, and potential access to underlying server resources.
If Mitigated
Limited impact with proper input validation and security controls, potentially reduced to denial of service or limited data exposure.
🎯 Exploit Status
Prototype pollution vulnerabilities are well-understood and can be exploited with minimal technical knowledge when public PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.1.63 or later
Vendor Advisory: https://github.com/thi-ng/umbrella/security/advisories/GHSA-4q5w-9jvq-5q5q
Restart Required: No
Instructions:
1. Update @thi.ng/paths to version 5.1.63 or later using npm update @thi.ng/paths. 2. Verify the update with npm list @thi.ng/paths. 3. Test application functionality after update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all user inputs passed to mutIn and mutInManyUnsafe functions
Object.freeze on Prototypes
allFreeze Object.prototype and other critical prototypes to prevent pollution
Object.freeze(Object.prototype);
Object.freeze(Object.prototype.__proto__);
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list @thi.ng/paths to see if version is 5.1.62 or earlierCheck Version:
npm list @thi.ng/paths | grep @thi.ng/pathsVerify Fix Applied:
Verify @thi.ng/paths version is 5.1.63 or later using npm list @thi.ng/paths📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript errors related to prototype modification
- Unexpected property assignments in object logs
- Suspicious input patterns in mutIn/mutInManyUnsafe function calls
Network Indicators:
- Malformed JSON payloads with __proto__ or constructor properties
- Unusual HTTP requests containing prototype pollution patterns
SIEM Query:
source="application_logs" AND ("__proto__" OR "constructor" OR "prototype") AND ("mutIn" OR "mutInManyUnsafe")🔗 References
- https://gist.github.com/tariqhawis/1bc340ca5ea6ae115c9ab9665cfd5921
- https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
- https://gist.github.com/tariqhawis/1bc340ca5ea6ae115c9ab9665cfd5921
- https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
- https://www.vicarius.io/vsociety/posts/unwinding-cve-2024-29650-a-tale-of-javascript-source-code-review-to-unravel-the-mysterious-prototype-pollution-amid-of-loose-defenses
