CVE-2024-57063 – This vulnerability is a prototype pollution fla... (How to Fix)

📋 TL;DR

This vulnerability is a prototype pollution flaw in php-date-formatter v1.3.6 that allows attackers to inject malicious properties into JavaScript objects. By supplying a crafted payload, attackers can cause Denial of Service (DoS) by crashing the application. Any application using the vulnerable version of php-date-formatter is affected.

💻 Affected Systems

Products:

php-date-formatter

Versions: v1.3.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable library version is affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to sustained downtime, potential data corruption, and service unavailability until manual intervention.

🟠

Likely Case

Application instability and intermittent crashes causing degraded performance and partial service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and security controls in place, potentially causing only minor performance degradation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of prototype pollution techniques and ability to craft specific payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.7 or later

Vendor Advisory: https://gist.github.com/tariqhawis/dcb93b4788273c3ffb15f70dc45ca4e7

Restart Required: No

Instructions:

1. Update php-date-formatter to v1.3.7 or later using npm: npm update php-date-formatter
2. Verify the update completed successfully
3. Test application functionality to ensure compatibility

🔧 Temporary Workarounds

Input Validation Sanitization

all

Implement strict input validation to reject malformed date format strings before they reach the vulnerable function.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block suspicious date format patterns
Isolate affected systems from untrusted networks and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list php-date-formatter

Check Version:

npm list php-date-formatter | grep php-date-formatter

Verify Fix Applied:

Verify installed version is v1.3.7 or later: npm list php-date-formatter | grep php-date-formatter

📡 Detection & Monitoring

Log Indicators:

Application crash logs
Unusual memory usage spikes
Error messages related to date formatting

Network Indicators:

Unusual patterns in date format parameters
Repeated requests with malformed date strings

SIEM Query:

source=application_logs AND ("php-date-formatter" OR "date formatting error" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2024-57063

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

EPSS Score: 0.21% exploit probability (42.8th percentile)

Published: February 5, 2025

Last Updated: February 6, 2025

🔗 References

https://gist.github.com/tariqhawis/dcb93b4788273c3ffb15f70dc45ca4e7

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57063, you might also want to check these: