CVE-2024-21505

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-1321
View all →

Vulnerability Description

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Related Vulnerabilities

CVE-2019-10745

HIGH
CVSS:7.5(High)

assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using eit...

CWE-13212019

CVE-2019-10768

HIGH
CVSS:7.5(High)

In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.

CWE-13212019

CVE-2019-16328

HIGH
CVSS:7.5(High)

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

CWE-13212019

CVE-2020-24939

HIGH
CVSS:7.5(High)

Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

CWE-13212020

CVE-2020-28268

HIGH
CVSS:7.5(High)

Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020

CVE-2020-7792

HIGH
CVSS:7.5(High)

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing e...

CWE-13212020