Plataforma
nodejs
Componente
carboneio/carbone
Corregido en
349077.0.1
A prototype pollution vulnerability has been identified in carbone, affecting versions up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This flaw allows attackers to manipulate object prototype attributes, potentially leading to denial of service or other unexpected application behavior. The vulnerability resides within the Formatter Handler component's lib/input.js file. Upgrading to version 3.5.6 resolves this issue.
Successful exploitation of CVE-2024-14020 allows a remote attacker to modify the prototype of JavaScript objects within the carbone library. This can lead to unexpected application behavior, potentially including denial of service, data corruption, or even arbitrary code execution depending on how the application utilizes the modified prototypes. The high complexity suggests that exploitation requires a deep understanding of the application's internal workings and the prototype inheritance mechanism. Prototype pollution vulnerabilities, while often overlooked, can have significant consequences if exploited effectively, as they can bypass security controls and compromise the integrity of the application.
The vulnerability's high complexity suggests that widespread exploitation is unlikely in the short term. No public proof-of-concept (PoC) code has been released as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog. Given the complexity and lack of public exploits, the probability of exploitation is considered low to medium.
Applications utilizing the carbone library in their frontend or backend code are at risk. Specifically, projects that dynamically construct objects based on user-supplied data without proper sanitization are particularly vulnerable. Developers relying on older versions of carbone without robust input validation practices should prioritize upgrading.
• nodejs / server:
npm list carbone• nodejs / server:
npm audit• nodejs / server:
grep -r 'lib/input.js' . # Search for the vulnerable filedisclosure
Estado del Exploit
EPSS
0.03% (7% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-14020 is to upgrade to version 3.5.6 of carbone. This version includes a patch (04f9feb24bfca23567706392f9ad2c53bbe4134e) that addresses the prototype pollution vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization techniques to prevent malicious data from being injected into the application. Carefully review and restrict the use of user-supplied data in object property assignments. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with malicious input and verifying that the prototype remains unchanged.
Actualice la biblioteca carboneio/carbone a la versión 3.5.6 o superior. Esta versión contiene una corrección para la vulnerabilidad de contaminación de prototipo. Puede actualizar la dependencia utilizando npm o yarn.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-14020 is a prototype pollution vulnerability affecting carbone versions up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e, allowing remote attackers to manipulate object prototypes.
You are affected if your project uses carbone version fbcd349077ad0e8748be73eab2a82ea92b6f8a7e or earlier. Check your project dependencies to confirm.
Upgrade to version 3.5.6 of carbone. This version includes a patch that resolves the prototype pollution vulnerability.
As of the publication date, there are no reports of active exploitation or publicly available proof-of-concept code.
Refer to the official carbone project repository or website for the latest security advisories and updates related to CVE-2024-14020.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.