Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2024-52810
Summary
The package @intlify/shared is a shared library for the intlify project, which is vulnerable to Prototype Pollution through the entry function(s) "lib.deepCopy." An attacker can supply a payload with an "Object.prototype" setter to introduce or modify properties within the global prototype chain, causing Denial of Service (DoS) as the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue affects @intlify/shared, @intlify/vue-i18n-core, petite-vue-i18n, and vue-i18n versions 9.7.0 through 9.14.1, 10.0.0-alpha.1 through 10.0.4, and 11.0.0-beta.0 through 11.0.0-beta.1.
- LOW
- NETWORK
- NONE
- NONE
CWE-1321 - Prototype Pollution
Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.
References
Advisory Timeline
- Published