CVE-2024-57072
📋 TL;DR
A prototype pollution vulnerability in module-from-string v3.3.1's lib.requireFromString function allows attackers to inject malicious properties into JavaScript objects, potentially causing Denial of Service (DoS). This affects applications that use this module to dynamically load code from strings. Developers using module-from-string in their Node.js applications are at risk.
💻 Affected Systems
- module-from-string
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash or unavailability due to prototype pollution leading to infinite loops, memory exhaustion, or unexpected behavior that halts execution.
Likely Case
Application instability or crashes when processing malicious payloads, resulting in temporary DoS until the service is restarted.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially causing isolated errors without full service disruption.
🎯 Exploit Status
Exploitation requires crafting a specific payload to trigger prototype pollution. No public proof-of-concept is available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.3.2 or later
Vendor Advisory: https://github.com/floatdrop/require-from-string
Restart Required: No
Instructions:
1. Update module-from-string to version 3.3.2 or later using npm: npm update module-from-string. 2. Verify the update by checking package.json or running npm list module-from-string.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any payloads containing suspicious patterns that could trigger prototype pollution.
🧯 If You Can't Patch
- Implement strict input validation to reject crafted payloads before they reach the requireFromString function.
- Isolate the vulnerable function in a sandboxed environment or worker thread to limit impact.
🔍 How to Verify
Check if Vulnerable:
Check if your application uses module-from-string version 3.3.1 by running: npm list module-from-stringCheck Version:
npm list module-from-stringVerify Fix Applied:
After updating, verify the version is 3.3.2 or later with: npm list module-from-string📡 Detection & Monitoring
Log Indicators:
- Unusual application crashes or restarts
- Error logs mentioning prototype pollution or requireFromString failures
- High memory usage spikes
Network Indicators:
- Increased error responses (e.g., 500 Internal Server Error) from the application
SIEM Query:
source="application.logs" AND ("prototype pollution" OR "requireFromString" OR "module-from-string")