免费扫描
MEDIUMCVE-2024-14020CVSS 5

carboneio carbone Formatter input.js 原型污染

平台

nodejs

组件

carboneio/carbone

修复版本

349077.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

A prototype pollution vulnerability has been identified in carbone, affecting versions up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This flaw allows attackers to manipulate object prototype attributes, potentially leading to denial of service or other unexpected application behavior. The vulnerability resides within the Formatter Handler component's lib/input.js file. Upgrading to version 3.5.6 resolves this issue.

影响与攻击场景翻译中…

Successful exploitation of CVE-2024-14020 allows a remote attacker to modify the prototype of JavaScript objects within the carbone library. This can lead to unexpected application behavior, potentially including denial of service, data corruption, or even arbitrary code execution depending on how the application utilizes the modified prototypes. The high complexity suggests that exploitation requires a deep understanding of the application's internal workings and the prototype inheritance mechanism. Prototype pollution vulnerabilities, while often overlooked, can have significant consequences if exploited effectively, as they can bypass security controls and compromise the integrity of the application.

利用背景翻译中…

The vulnerability's high complexity suggests that widespread exploitation is unlikely in the short term. No public proof-of-concept (PoC) code has been released as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog. Given the complexity and lack of public exploits, the probability of exploitation is considered low to medium.

哪些人处于风险中翻译中…

Applications utilizing the carbone library in their frontend or backend code are at risk. Specifically, projects that dynamically construct objects based on user-supplied data without proper sanitization are particularly vulnerable. Developers relying on older versions of carbone without robust input validation practices should prioritize upgrading.

检测步骤翻译中…

• nodejs / server:

  npm list carbone

• nodejs / server:

  npm audit

• nodejs / server:

  grep -r 'lib/input.js' .  # Search for the vulnerable file

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.03% (7% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C5.0MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityHigh利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityLow服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
低 — 部分或间歇性拒绝服务。

受影响的软件

组件carboneio/carbone
供应商carboneio
影响范围修复版本
fbcd349077ad0e8748be73eab2a82ea92b6f8a7e – fbcd349077ad0e8748be73eab2a82ea92b6f8a7e349077.0.1

弱点分类 (CWE)

CWE-1321CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-14020 is to upgrade to version 3.5.6 of carbone. This version includes a patch (04f9feb24bfca23567706392f9ad2c53bbe4134e) that addresses the prototype pollution vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization techniques to prevent malicious data from being injected into the application. Carefully review and restrict the use of user-supplied data in object property assignments. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with malicious input and verifying that the prototype remains unchanged.

修复方法

将 carboneio/carbone 库升级到 3.5.6 或更高版本。此版本包含原型污染漏洞的修复。您可以使用 npm 或 yarn 升级依赖项。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-14020 — prototype pollution in carbone?

CVE-2024-14020 is a prototype pollution vulnerability affecting carbone versions up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e, allowing remote attackers to manipulate object prototypes.

Am I affected by CVE-2024-14020 in carbone?

You are affected if your project uses carbone version fbcd349077ad0e8748be73eab2a82ea92b6f8a7e or earlier. Check your project dependencies to confirm.

How do I fix CVE-2024-14020 in carbone?

Upgrade to version 3.5.6 of carbone. This version includes a patch that resolves the prototype pollution vulnerability.

Is CVE-2024-14020 being actively exploited?

As of the publication date, there are no reports of active exploitation or publicly available proof-of-concept code.

Where can I find the official carbone advisory for CVE-2024-14020?

Refer to the official carbone project repository or website for the latest security advisories and updates related to CVE-2024-14020.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE