CVE-2024-57083 – This CVE describes a prototype pollution vulner... (How to Fix)

Q: What is the severity of CVE-2024-57083?

CVE-2024-57083 has a CVSS score of 7.5 (HIGH). This CVE describes a prototype pollution vulnerability in Redoc's Module.mergeObjects function that allows attackers to cause Denial of Service (DoS) by sending specially crafted payloads. The vulnerability affects Redoc versions 2.2.0 and earlier, potentially impacting any application or service using these vulnerable versions to render API documentation.

📋 TL;DR

This CVE describes a prototype pollution vulnerability in Redoc's Module.mergeObjects function that allows attackers to cause Denial of Service (DoS) by sending specially crafted payloads. The vulnerability affects Redoc versions 2.2.0 and earlier, potentially impacting any application or service using these vulnerable versions to render API documentation.

💻 Affected Systems

Products:

Redoc

Versions: <= 2.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any deployment using vulnerable Redoc versions to render OpenAPI/Swagger documentation.

📦 What is this software?

Redoc by Redocly

View all CVEs affecting Redoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability through resource exhaustion or application crashes, potentially affecting all users of the vulnerable Redoc instance.

🟠

Likely Case

Temporary service disruption or degraded performance when attackers send crafted payloads to trigger the prototype pollution.

🟢

If Mitigated

Minimal impact with proper input validation and sanitization in place, though the underlying vulnerability remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending crafted payloads to trigger prototype pollution in the mergeObjects function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.2.0

Vendor Advisory: https://github.com/Redocly/redoc/issues/2499

Restart Required: No

Instructions:

1. Update Redoc to version 2.2.1 or later. 2. Run npm update redoc or yarn upgrade redoc. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation and sanitization for all data passed to Redoc's mergeObjects function.

🧯 If You Can't Patch

Implement WAF rules to block suspicious payloads targeting the mergeObjects function.
Isolate Redoc instances behind reverse proxies with rate limiting and request filtering.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list redoc to verify installed version is <= 2.2.0.

Check Version:

npm list redoc | grep redoc

Verify Fix Applied:

Confirm Redoc version is > 2.2.0 using npm list redoc or checking package.json.

📡 Detection & Monitoring

Log Indicators:

Unusual error messages related to mergeObjects
Application crashes or high resource usage spikes

Network Indicators:

Suspicious HTTP requests with crafted JSON payloads to Redoc endpoints

SIEM Query:

source="application_logs" AND ("mergeObjects" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2024-57083

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

EPSS Score: 0.1% exploit probability (28.3th percentile)

Published: March 28, 2025

Last Updated: April 14, 2025

🔗 References

https://github.com/Redocly/redoc/issues/2499 Exploit,Issue Tracking,Patch
https://github.com/Redocly/redoc/issues/2499 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57083, you might also want to check these: