CVE-2024-36575
📋 TL;DR
CVE-2024-36575 is a critical prototype pollution vulnerability in getsetprop 1.1.0 that allows attackers to modify JavaScript object prototypes, potentially leading to arbitrary code execution via the global.accessor function. This affects any application using the vulnerable getsetprop library version. Attackers can exploit this to compromise systems running affected software.
💻 Affected Systems
- getsetprop
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, data theft, and complete control over affected systems.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential lateral movement within networks.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and proper input validation preventing exploitation.
🎯 Exploit Status
Proof-of-concept code is publicly available, making exploitation straightforward for attackers with basic JavaScript knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1 or later
Vendor Advisory: https://github.com/username/getsetprop (check repository for updates)
Restart Required: Yes
Instructions:
1. Update getsetprop to version 1.1.1 or later using npm update getsetprop. 2. Restart all Node.js applications using the library. 3. Verify no dependencies are pinned to vulnerable version.
🔧 Temporary Workarounds
Input Validation Wrapper
allImplement strict input validation for all user inputs passed to getsetprop functions
// JavaScript code to validate inputs before getsetprop calls
function safeGetSetProp(input) { if (typeof input !== 'string' || input.includes('__proto__') || input.includes('constructor')) { throw new Error('Invalid input'); } return getsetprop(input); }
🧯 If You Can't Patch
- Implement network segmentation to isolate affected applications from critical systems
- Apply strict input validation and sanitization for all user inputs to getsetprop functions
🔍 How to Verify
Check if Vulnerable:
Check package.json or run npm list getsetprop to see if version 1.1.0 is installedCheck Version:
npm list getsetprop | grep getsetpropVerify Fix Applied:
Verify getsetprop version is 1.1.1 or later using npm list getsetprop📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript errors related to prototype modification
- Unexpected process spawns from Node.js applications
- Suspicious network connections from Node.js processes
Network Indicators:
- Unexpected outbound connections from Node.js applications
- Traffic patterns indicating data exfiltration
SIEM Query:
process.name:node.exe AND (command_line:*getsetprop* OR command_line:*global.accessor*)