CVE-2024-14020
Prototype Pollution Vulnerability in carboneio Formatter Handler (lib/input.js
Publication date: 2026-01-07
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carboneio | carbone | 3.5.6 |
| carboneio | carbone | to 3.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a weakness in the carboneio carbone software, specifically in the Formatter Handler component's lib/input.js file. It allows an attacker to manipulate and improperly modify object prototype attributes remotely. Exploiting this vulnerability is complex and difficult, and it only succeeds if the parent NodeJS application also has the same security issue. Upgrading to version 3.5.6 fixes this problem.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to unauthorized modification of object prototype attributes, potentially causing unexpected behavior or security issues in the affected application. However, exploitation is difficult and requires the parent NodeJS application to have the same vulnerability. The impact includes partial confidentiality, integrity, and availability loss as indicated by the CVSS scores.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the affected carboneio carbone component to version 3.5.6, which includes the patch 04f9feb24bfca23567706392f9ad2c53bbe4134e that fixes the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators publicly available for CVE-2024-14020. Detection would typically involve reviewing the version of carboneio carbone in use to see if it is at or below the vulnerable commit (fbcd349077ad0e8748be73eab2a82ea92b6f8a7e) and checking if the application uses the vulnerable Formatter Handler component (lib/input.js). Since exploitation requires the parent NodeJS application to have the same prototype pollution issue, auditing the NodeJS application's code for prototype pollution vulnerabilities is also recommended. The best mitigation and verification is to upgrade to carbone version 3.5.6 or later, which includes a patch that prevents prototype pollution by changing the formatters object initialization. A test added in the patch attempts to inject malicious code into the __proto__ property and verifies that the formatter does not exist and an error is thrown, confirming the fix. No public exploits or detection scripts are currently available. [1, 2]