CVE-2024-57085
📋 TL;DR
This CVE describes a prototype pollution vulnerability in the deepMerge function of @stryker-mutator/util version 8.6.0, allowing attackers to cause Denial of Service (DoS) by supplying a crafted payload. It affects applications using this specific version of the Stryker mutation testing utility library. The vulnerability enables attackers to manipulate object prototypes, potentially leading to application crashes or resource exhaustion.
💻 Affected Systems
- @stryker-mutator/util
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to resource exhaustion or crash, disrupting mutation testing workflows and potentially affecting CI/CD pipelines.
Likely Case
Application instability or crashes during mutation testing operations when processing malicious payloads, causing testing failures.
If Mitigated
Limited impact with proper input validation and updated library versions, maintaining normal testing functionality.
🎯 Exploit Status
Exploitation requires the ability to supply crafted input to the deepMerge function. The provided GitHub gist shows technical details but not a complete exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 8.6.1 or later
Vendor Advisory: https://github.com/stryker-mutator/stryker-js/security/advisories
Restart Required: No
Instructions:
1. Update package.json to use @stryker-mutator/util version 8.6.1 or higher. 2. Run 'npm update @stryker-mutator/util' or 'yarn upgrade @stryker-mutator/util'. 3. Verify the update with 'npm list @stryker-mutator/util' or equivalent.
🔧 Temporary Workarounds
Input validation for deepMerge
allImplement strict input validation before passing data to the deepMerge function to prevent prototype pollution payloads.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all data passed to the deepMerge function
- Monitor application logs for unusual patterns or crashes during mutation testing operations
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @stryker-mutator/util' to see if version 8.6.0 is installed.Check Version:
npm list @stryker-mutator/util | grep @stryker-mutator/utilVerify Fix Applied:
Verify the installed version is 8.6.1 or higher using 'npm list @stryker-mutator/util'.📡 Detection & Monitoring
Log Indicators:
- Application crashes during mutation testing
- Unusual memory consumption patterns
- Errors related to object prototype manipulation
Network Indicators:
- Not applicable - this is a local library vulnerability
SIEM Query:
Not applicable for typical SIEM monitoring as this is a development utility vulnerability