Login Sign Up

CVE-2024-36572

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a prototype pollution vulnerability in allpro form-manager version 0.7.4 that allows attackers to inject arbitrary properties into JavaScript objects, potentially leading to remote code execution. Attackers can exploit this via the setDefaults, mergeBranch, and Object.setObjectValue functions. Any application using this vulnerable version of form-manager is affected.

💻 Affected Systems

Products:
  • allpro form-manager
Versions: 0.7.4
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using form-manager 0.7.4 with the vulnerable functions is affected regardless of configuration.

📦 What is this software?

Formmanager Data Handler by Allpro

View all CVEs affecting Formmanager Data Handler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary code execution in the context of the application, potentially allowing privilege escalation and unauthorized access to sensitive data.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though prototype pollution could still cause application instability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept code is publicly available in the GitHub gist references, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is available. Remove or replace form-manager 0.7.4 with a secure alternative.

🔧 Temporary Workarounds

Remove vulnerable package

all

Uninstall form-manager 0.7.4 and replace with alternative form management solution

npm uninstall form-manager

Input validation wrapper

all

Implement strict input validation for all user inputs passed to form-manager functions

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Isolate the application in a container or sandbox to limit potential damage from exploitation

🔍 How to Verify

Check if Vulnerable:

Check package.json for form-manager version 0.7.4 or run: npm list form-manager

Check Version:

npm list form-manager

Verify Fix Applied:

Verify form-manager is no longer installed or is replaced with a different version

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript object property modifications
  • Unexpected function calls to setDefaults, mergeBranch, or Object.setObjectValue
  • Application crashes or abnormal behavior

Network Indicators:

  • Unusual HTTP requests containing JavaScript object manipulation patterns
  • Requests with unexpected property names in payloads

SIEM Query:

Search for application logs containing references to form-manager, setDefaults, mergeBranch, or Object.setObjectValue with suspicious payloads

📊 Metadata

CVE ID: CVE-2024-36572
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: July 30, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36572, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)