CVE-2024-57075
📋 TL;DR
This CVE describes a prototype pollution vulnerability in eazy-logger v4.0.1 that allows attackers to cause Denial of Service (DoS) by sending specially crafted payloads to the lib.Logger function. Any application using the vulnerable version of eazy-logger is affected, particularly Node.js applications that process untrusted input through logging functions.
💻 Affected Systems
- eazy-logger
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to process crashes or resource exhaustion, potentially affecting downstream services that depend on the vulnerable application.
Likely Case
Application instability, intermittent crashes, or degraded performance when malicious payloads trigger the vulnerability.
If Mitigated
Minimal impact if input validation and sanitization prevent malicious payloads from reaching the vulnerable function.
🎯 Exploit Status
Exploitation requires sending crafted payloads to the vulnerable function. The reference gist provides technical details but not a complete exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.2 or later
Vendor Advisory: https://github.com/shakyShane/eazy-logger
Restart Required: Yes
Instructions:
1. Check current eazy-logger version in package.json. 2. Update to v4.0.2+ via npm update eazy-logger. 3. Restart the application to load the patched version.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to prevent malicious payloads from reaching the lib.Logger function.
🧯 If You Can't Patch
- Implement network-level controls to filter or block suspicious payloads targeting logging endpoints.
- Monitor application logs for unusual patterns or crashes and implement rate limiting on logging functions.
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/eazy-logger/package.json for version 4.0.1.Check Version:
npm list eazy-loggerVerify Fix Applied:
Verify the version is 4.0.2 or higher after updating and test logging functionality with various inputs.📡 Detection & Monitoring
Log Indicators:
- Application crashes or restarts
- Unusual error messages related to prototype pollution or object manipulation
- High frequency of logging errors
Network Indicators:
- Unusual payloads sent to logging endpoints
- Spike in requests to logging functions
SIEM Query:
source="application_logs" AND ("prototype pollution" OR "eazy-logger" OR "lib.Logger")