Skip to main content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVE-2024-52810

Severity Medium
Score 6.9/10

Summary

The package @intlify/shared is a shared library for the intlify project, which is vulnerable to Prototype Pollution through the entry function(s) "lib.deepCopy." An attacker can supply a payload with an "Object.prototype" setter to introduce or modify properties within the global prototype chain, causing Denial of Service (DoS) as the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue affects @intlify/shared, @intlify/vue-i18n-core, petite-vue-i18n, and vue-i18n versions 9.7.0 through 9.14.1, 10.0.0-alpha.1 through 10.0.4, and 11.0.0-beta.0 through 11.0.0-beta.1.

  • LOW
  • NETWORK
  • NONE
  • NONE

CWE-1321 - Prototype Pollution

Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.

Advisory Timeline

  • Published