CVE-2024-57082
📋 TL;DR
A prototype pollution vulnerability in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to supply crafted payloads that can cause Denial of Service (DoS) by crashing the application. This affects any application using this specific version of the uploader library. The vulnerability requires an attacker to be able to send malicious upload requests to the affected endpoint.
💻 Affected Systems
- @rpldy/uploader
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to DoS, potentially disrupting business operations and user access.
Likely Case
Temporary service disruption affecting upload functionality, requiring application restart to recover.
If Mitigated
Minimal impact with proper input validation and request filtering in place.
🎯 Exploit Status
Proof of concept available in the referenced GitHub gist. Exploitation requires sending crafted upload requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.8.2 or later
Vendor Advisory: https://github.com/rpldy/react-uploady/releases
Restart Required: Yes
Instructions:
1. Update @rpldy/uploader to v1.8.2 or later using npm update @rpldy/uploader. 2. Restart the application. 3. Verify the fix by checking the package.json version.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject malformed upload requests before they reach the vulnerable function.
Rate Limiting
allApply rate limiting to upload endpoints to reduce impact of DoS attempts.
🧯 If You Can't Patch
- Implement WAF rules to block requests with suspicious payload patterns targeting prototype pollution.
- Isolate upload functionality to separate services with limited blast radius.
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/@rpldy/uploader/package.json for version 1.8.1.Check Version:
npm list @rpldy/uploaderVerify Fix Applied:
Confirm version is 1.8.2 or later in package.json and test upload functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes or restarts following upload requests
- Unusual error messages related to prototype pollution or object manipulation
Network Indicators:
- Spike in upload requests with unusual payload sizes or patterns
- Requests containing crafted JSON objects targeting object prototypes
SIEM Query:
source="application.logs" AND ("prototype pollution" OR "uploader crash" OR "DoS")