CVE-2024-39011 – CVE-2024-39011 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2024-39011?

CVE-2024-39011 has a CVSS score of 9.8 (CRITICAL). CVE-2024-39011 is a prototype pollution vulnerability in chargeover redoc v2.0.9-rc.69 that allows attackers to modify JavaScript object prototypes, potentially leading to arbitrary code execution or denial of service. This affects any application using this specific version of the redoc library for API documentation.

📋 TL;DR

CVE-2024-39011 is a prototype pollution vulnerability in chargeover redoc v2.0.9-rc.69 that allows attackers to modify JavaScript object prototypes, potentially leading to arbitrary code execution or denial of service. This affects any application using this specific version of the redoc library for API documentation.

💻 Affected Systems

Products:

chargeover redoc

Versions: v2.0.9-rc.69

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific release candidate version. Production releases may not be affected.

📦 What is this software?

Redoc by Chargeover

View all CVEs affecting Redoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Denial of service causing application crashes or instability, potentially combined with limited code execution.

🟢

If Mitigated

Application crash requiring restart, but no persistent compromise if proper isolation exists.

🌐 Internet-Facing: HIGH - Web applications using this library are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist. Exploitation requires attacker to control input to mergeObjects function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check if using chargeover redoc v2.0.9-rc.69. 2. Upgrade to a non-vulnerable version when available. 3. Restart affected applications.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for objects passed to mergeObjects function

Library replacement

all

Replace chargeover redoc with alternative API documentation libraries

🧯 If You Can't Patch

Implement WAF rules to detect and block prototype pollution attempts
Isolate affected applications in network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check package.json or dependency files for 'chargeover redoc' version 2.0.9-rc.69

Check Version:

npm list chargeover-redoc (for Node.js applications)

Verify Fix Applied:

Verify that chargeover redoc is no longer version 2.0.9-rc.69

📡 Detection & Monitoring

Log Indicators:

Unusual mergeObjects function calls
Application crashes with prototype-related errors
Unexpected object property modifications

Network Indicators:

HTTP requests with specially crafted JSON payloads
Requests targeting API documentation endpoints

SIEM Query:

source="web_logs" AND (uri="*redoc*" OR user_agent="*redoc*") AND (status=500 OR method=POST)

📊 Metadata

CVE ID: CVE-2024-39011

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: July 30, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39011, you might also want to check these: