CVE-2024-39001
📋 TL;DR
CVE-2024-39001 is a prototype pollution vulnerability in ag-grid-enterprise v31.3.2 that allows attackers to inject arbitrary properties via the _ModuleSupport.jsonApply component. This can lead to arbitrary code execution or denial of service. Users of ag-grid-enterprise version 31.3.2 are affected.
💻 Affected Systems
- ag-grid-enterprise
📦 What is this software?
Ag Charts by Ag Grid
Ag Charts by Ag Grid
Ag Grid by Ag Grid
Ag Grid by Ag Grid
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service causing application crashes or instability, potentially disrupting business operations.
If Mitigated
Limited impact with proper input validation and security controls in place, possibly just application errors.
🎯 Exploit Status
Proof-of-concept code is publicly available in GitHub gists. Exploitation requires attacker to control input to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 31.3.3 or later
Vendor Advisory: https://www.ag-grid.com/changelog/
Restart Required: Yes
Instructions:
1. Update ag-grid-enterprise package to version 31.3.3 or higher. 2. Run npm update ag-grid-enterprise or yarn upgrade ag-grid-enterprise. 3. Restart the application server. 4. Test application functionality.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation for all data passed to _ModuleSupport.jsonApply function
Object.freeze() on prototypes
allUse Object.freeze(Object.prototype) to prevent prototype pollution
Object.freeze(Object.prototype);
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious JSON payloads
- Isolate the vulnerable application in a segmented network zone with strict access controls
🔍 How to Verify
Check if Vulnerable:
Check package.json for ag-grid-enterprise version 31.3.2. Review code for usage of _ModuleSupport.jsonApply.Check Version:
npm list ag-grid-enterprise | grep ag-grid-enterpriseVerify Fix Applied:
Verify ag-grid-enterprise version is 31.3.3 or higher in package.json and node_modules.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON payloads in application logs
- Application crashes or errors related to _ModuleSupport.jsonApply
- Unexpected property assignments in object prototypes
Network Indicators:
- Malformed JSON requests to endpoints using ag-grid components
- Unusual spikes in application error responses
SIEM Query:
source="application.logs" AND ("_ModuleSupport.jsonApply" OR "prototype pollution" OR "ag-grid-enterprise")🔗 References
- https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
- https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
- https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
- https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
- https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
- https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
