CVE-2024-39853 – CVE-2024-39853 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2024-39853?

CVE-2024-39853 has a CVSS score of 6.5 (MEDIUM). CVE-2024-39853 is a prototype pollution vulnerability in adolph_dudu ratio-swiper version 0.0.2 that allows attackers to inject arbitrary properties into object prototypes. This can lead to arbitrary code execution or denial of service. Anyone using this specific version of the ratio-swiper package is affected.

📋 TL;DR

CVE-2024-39853 is a prototype pollution vulnerability in adolph_dudu ratio-swiper version 0.0.2 that allows attackers to inject arbitrary properties into object prototypes. This can lead to arbitrary code execution or denial of service. Anyone using this specific version of the ratio-swiper package is affected.

💻 Affected Systems

Products:

adolph_dudu ratio-swiper

Versions: 0.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only version 0.0.2 is confirmed vulnerable. The vulnerability exists in the parse function.

📦 What is this software?

Swiper by Swiperjs

View all CVEs affecting Swiper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing application crashes or instability, potentially leading to data corruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, possibly just application errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist. Exploitation requires attacker to control input to the parse function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Remove ratio-swiper 0.0.2 from your project. 2. Check if any dependencies rely on this package. 3. Consider alternative packages or forks with security fixes.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all data passed to the parse function

Object.freeze on Object.prototype

all

Prevent prototype pollution by freezing Object.prototype

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Isolate the vulnerable component in a sandboxed environment with minimal privileges
Implement network segmentation to limit potential lateral movement if exploited

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for ratio-swiper version 0.0.2

Check Version:

npm list ratio-swiper

Verify Fix Applied:

Verify ratio-swiper 0.0.2 is no longer in package.json or node_modules

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual property modifications in objects
Parse function receiving malformed input

Network Indicators:

Unusual outbound connections from the application
Requests with specially crafted payloads to endpoints using parse function

SIEM Query:

source="application_logs" AND ("ratio-swiper" OR "parse function") AND ("crash" OR "error" OR "unexpected")

📊 Metadata

CVE ID: CVE-2024-39853

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-1321

Published: July 1, 2024

Last Updated: July 10, 2025

🔗 References

https://gist.github.com/mestrtee/840f5d160aab4151bd0451cfb822e6b5 Exploit,Third Party Advisory
https://gist.github.com/mestrtee/840f5d160aab4151bd0451cfb822e6b5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39853, you might also want to check these: