CVE-2024-36582
📋 TL;DR
CVE-2024-36582 is a prototype pollution vulnerability in the alexbinary object-deep-assign npm package that allows attackers to modify object prototypes, potentially leading to remote code execution or denial of service. Any application using vulnerable versions of this package is affected, particularly Node.js applications that process untrusted user input.
💻 Affected Systems
- alexbinary object-deep-assign
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service, application crashes, or unauthorized data manipulation.
If Mitigated
Limited impact if input validation and sandboxing prevent prototype pollution.
🎯 Exploit Status
Proof-of-concept code is publicly available, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.12 or later
Vendor Advisory: https://github.com/alexbinary/object-deep-assign
Restart Required: Yes
Instructions:
1. Update package.json to use object-deep-assign version 1.0.12 or higher. 2. Run 'npm update object-deep-assign' or 'yarn upgrade object-deep-assign'. 3. Restart your application.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to prevent prototype pollution payloads.
Use Object.freeze() on prototypes
allFreeze Object.prototype to prevent modifications.
Object.freeze(Object.prototype);
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-controlled data
- Use alternative deep merge libraries that are not vulnerable to prototype pollution
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list object-deep-assign' to see if version 1.0.11 or earlier is installed.Check Version:
npm list object-deep-assign | grep object-deep-assignVerify Fix Applied:
Verify the installed version is 1.0.12 or later using 'npm list object-deep-assign'.📡 Detection & Monitoring
Log Indicators:
- Unusual application crashes
- Unexpected prototype modifications in logs
- Suspicious deep object merge operations
Network Indicators:
- Requests containing prototype pollution payloads in JSON data
SIEM Query:
source="application.logs" AND ("prototype pollution" OR "__proto__" OR "constructor")