CVE-2024-32866
📋 TL;DR
CVE-2024-32866 is a prototype pollution vulnerability in the Conform form validation library. It allows attackers to modify JavaScript object prototypes by submitting specially crafted nested object inputs to parseWith functions. Applications using Conform for server-side validation of form data or URL parameters are affected.
💻 Affected Systems
- Conform form validation library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete application compromise, or data corruption through prototype pollution leading to arbitrary code execution.
Likely Case
Application instability, denial of service, or data manipulation through prototype pollution affecting application behavior.
If Mitigated
Limited impact if input validation or sanitization is implemented elsewhere in the application stack.
🎯 Exploit Status
Exploitation requires sending crafted input to vulnerable parseWith functions, which is straightforward for attackers familiar with prototype pollution techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1
Vendor Advisory: https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf
Restart Required: No
Instructions:
1. Update Conform dependency to version 1.1.1 or later. 2. Run npm update conform or yarn upgrade conform. 3. Test application functionality to ensure compatibility.
🔧 Temporary Workarounds
Input validation filter
allImplement server-side input validation to reject nested object notation (object.property) in form data before passing to Conform.
Disable nested object parsing
allConfigure Conform to disable nested object parsing feature if not required by application.
🧯 If You Can't Patch
- Implement strict input validation to reject any input containing dot notation or suspicious patterns.
- Use a web application firewall (WAF) with rules to detect and block prototype pollution attempts.
🔍 How to Verify
Check if Vulnerable:
Check package.json or lock file for Conform version below 1.1.1. Review code for usage of Conform parseWith functions with user input.Check Version:
npm list conform or grep -r "conform" package.jsonVerify Fix Applied:
Confirm Conform version is 1.1.1 or higher in package.json and test that nested object inputs no longer cause prototype pollution.📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions with nested object notation
- Application errors related to object prototype modifications
Network Indicators:
- HTTP requests with form data containing object.property patterns
- Unexpected parameter structures in POST/PUT requests
SIEM Query:
source="web_server" AND (form_data CONTAINS "." OR params CONTAINS ".")🔗 References
- https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117
- https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de
- https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf
- https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117
- https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de
- https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf
