CVE-2024-38993 – CVE-2024-38993 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2024-38993?

CVE-2024-38993 has a CVSS score of 9.8 (CRITICAL). CVE-2024-38993 is a prototype pollution vulnerability in rjrodger jsonic-next v2.12.1 that allows attackers to inject arbitrary properties into object prototypes. This can lead to arbitrary code execution or denial of service by manipulating the application's behavior. Anyone using the vulnerable version of jsonic-next is affected.

📋 TL;DR

CVE-2024-38993 is a prototype pollution vulnerability in rjrodger jsonic-next v2.12.1 that allows attackers to inject arbitrary properties into object prototypes. This can lead to arbitrary code execution or denial of service by manipulating the application's behavior. Anyone using the vulnerable version of jsonic-next is affected.

💻 Affected Systems

Products:

rjrodger jsonic-next

Versions: v2.12.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using jsonic-next v2.12.1 with the empty function is vulnerable regardless of configuration.

📦 What is this software?

Jsonic by Richardrodger

View all CVEs affecting Jsonic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or instability, potentially leading to data corruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH - Web applications using this library could be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gists, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.12.2 or later

Vendor Advisory: https://github.com/rjrodger/jsonic-next/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to use jsonic-next v2.12.2 or later. 2. Run 'npm update jsonic-next' or 'yarn upgrade jsonic-next'. 3. Restart all Node.js applications using the library.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Wrap jsonic-next calls with strict input validation to reject malicious payloads

// JavaScript example: Validate input objects before passing to jsonic-next functions

🧯 If You Can't Patch

Implement strict input validation and sanitization for all jsonic-next function inputs
Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for jsonic-next version 2.12.1

Check Version:

npm list jsonic-next | grep jsonic-next

Verify Fix Applied:

Verify jsonic-next version is 2.12.2 or higher using 'npm list jsonic-next'

📡 Detection & Monitoring

Log Indicators:

Unexpected property modifications in objects
Application crashes with prototype-related errors
Unusual function calls to Object.prototype methods

Network Indicators:

HTTP requests with specially crafted JSON payloads targeting jsonic-next endpoints

SIEM Query:

source="application.logs" AND ("prototype pollution" OR "jsonic-next" OR "CVE-2024-38993")

📊 Metadata

CVE ID: CVE-2024-38993

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 1, 2024

Last Updated: July 10, 2025

🔗 References

https://gist.github.com/mestrtee/9a2b522d59c53f31f45c1edb96459693 Exploit,Third Party Advisory
https://gist.github.com/mestrtee/9a2b522d59c53f31f45c1edb96459693 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38993, you might also want to check these: