CVE-2024-14020
Unknown Unknown - Not Provided
Prototype Pollution Vulnerability in carboneio Formatter Handler (lib/input.js

Publication date: 2026-01-07

Last updated on: 2026-02-23

Assigner: VulDB

Description
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2024-14020
EUVD
EUVD-2026-1182
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
carboneio carbone 3.5.6
carboneio carbone to 3.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a weakness in the carboneio carbone software, specifically in the Formatter Handler component's lib/input.js file. It allows an attacker to manipulate and improperly modify object prototype attributes remotely. Exploiting this vulnerability is complex and difficult, and it only succeeds if the parent NodeJS application also has the same security issue. Upgrading to version 3.5.6 fixes this problem.

Impact Analysis

If exploited, this vulnerability can lead to unauthorized modification of object prototype attributes, potentially causing unexpected behavior or security issues in the affected application. However, exploitation is difficult and requires the parent NodeJS application to have the same vulnerability. The impact includes partial confidentiality, integrity, and availability loss as indicated by the CVSS scores.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the affected carboneio carbone component to version 3.5.6, which includes the patch 04f9feb24bfca23567706392f9ad2c53bbe4134e that fixes the issue.

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

There are no specific detection commands or network indicators publicly available for CVE-2024-14020. Detection would typically involve reviewing the version of carboneio carbone in use to see if it is at or below the vulnerable commit (fbcd349077ad0e8748be73eab2a82ea92b6f8a7e) and checking if the application uses the vulnerable Formatter Handler component (lib/input.js). Since exploitation requires the parent NodeJS application to have the same prototype pollution issue, auditing the NodeJS application's code for prototype pollution vulnerabilities is also recommended. The best mitigation and verification is to upgrade to carbone version 3.5.6 or later, which includes a patch that prevents prototype pollution by changing the formatters object initialization. A test added in the patch attempts to inject malicious code into the __proto__ property and verifies that the formatter does not exist and an error is thrown, confirming the fix. No public exploits or detection scripts are currently available. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-14020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart