CVE-2024-57708
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-07-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-471 | The product does not properly protect an assumed-immutable element from being modified by an attacker. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OneTrust SDK version 6.33.0 is a Prototype Pollution issue caused by improper handling of JavaScript prototype assignment functions such as Object.setPrototypeOf, __proto__, and Object.assign. An attacker can exploit this by injecting malicious properties into the global Object.prototype, which affects all objects in the application. This can lead to application logic errors and denial of service conditions by polluting the global prototype chain. [1]
How can this vulnerability impact me? :
The vulnerability can cause denial of service (DoS) conditions by corrupting the global object prototype, leading to application crashes or unexpected behavior. It does not affect confidentiality or integrity but impacts availability. The attack requires low complexity, no privileges, but does require user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for prototype pollution via JavaScript in environments using OneTrust SDK v6.33.0. A proof-of-concept involves injecting a payload containing a __proto__ property to modify the prototype chain and observing if global objects inherit the polluted property. This can be done using Node.js or browser developer tools by executing commands that assign malicious objects to Object.setPrototypeOf or Object.assign and checking for unexpected properties on global objects. For example, in a Node.js or browser console, you can run: const maliciousPayload = { __proto__: { polluted: 'yes' } }; Object.assign({}, maliciousPayload); console.log({}.polluted); If the output shows 'yes', the system is vulnerable to prototype pollution. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs that are used in object merging or prototype manipulation functions such as Object.setPrototypeOf, Object.assign, or direct __proto__ assignments. Since no patched version currently exists, developers should implement input validation to prevent objects containing __proto__ or constructor.prototype properties from being processed. Additionally, monitoring and restricting the use of these JavaScript functions in untrusted contexts can help reduce exploitation risk. [1]