CVE-2024-39003 – CVE-2024-39003 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2024-39003?

CVE-2024-39003 has a CVSS score of 7.3 (HIGH). CVE-2024-39003 is a prototype pollution vulnerability in amoyjs amoy common v1.0.10 that allows attackers to inject arbitrary properties into objects. This can lead to arbitrary code execution or denial of service. Anyone using the vulnerable version of this JavaScript library is affected.

📋 TL;DR

CVE-2024-39003 is a prototype pollution vulnerability in amoyjs amoy common v1.0.10 that allows attackers to inject arbitrary properties into objects. This can lead to arbitrary code execution or denial of service. Anyone using the vulnerable version of this JavaScript library is affected.

💻 Affected Systems

Products:

amoyjs amoy common

Versions: v1.0.10

Operating Systems: All platforms running Node.js/JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable setValue function from this library is affected regardless of configuration.

📦 What is this software?

Common by Amoyjs

View all CVEs affecting Common →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or instability, potentially allowing privilege escalation in multi-user environments.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gists, exploitation requires attacker to control input to setValue function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.11 or later

Vendor Advisory: https://github.com/amoyjs/amoy-common

Restart Required: Yes

Instructions:

1. Update package.json to use amoy-common v1.0.11 or later. 2. Run npm update amoy-common. 3. Restart all affected applications. 4. Test functionality.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap setValue calls with input validation to reject suspicious property names

// Implement input validation before calling setValue
function safeSetValue(obj, path, value) {
  if (path.includes('__proto__') || path.includes('constructor') || path.includes('prototype')) {
    throw new Error('Invalid property path');
  }
  return setValue(obj, path, value);
}

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) to limit script execution
Isolate the vulnerable component in a sandboxed environment or container

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/amoy-common/package.json for version 1.0.10

Check Version:

npm list amoy-common | grep amoy-common

Verify Fix Applied:

Verify package.json shows version 1.0.11 or later and test setValue with malicious inputs

📡 Detection & Monitoring

Log Indicators:

Unusual property names in object manipulation logs
Application crashes with prototype-related errors
Unexpected property assignments in debug logs

Network Indicators:

Unusual HTTP requests containing prototype pollution payloads
Suspicious JavaScript object manipulation in API calls

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor" OR "prototype") AND "setValue"

📊 Metadata

CVE ID: CVE-2024-39003

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

Published: July 1, 2024

Last Updated: July 7, 2025

🔗 References

https://gist.github.com/mestrtee/02091aa86c6c14c29b9703642439dd03 Third Party Advisory
https://gist.github.com/mestrtee/02091aa86c6c14c29b9703642439dd03 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39003, you might also want to check these: