Home > Vulnerability Database > CVE-2024-21505

Mend.io Vulnerability Database

CVE-2024-21505

Good to know:

Date: March 25, 2024

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Language: JS

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21505

Url: https://github.com/web3/web3.js/commit/8ed041c6635d807b3da8960ad49e125e3d1b0e80

Url: https://github.com/web3/web3.js/security/advisories/GHSA-2g4c-8fpm-c46v

Url: https://github.com/web3/web3.js

Url: https://www.mend.io/vulnerability-database/CVE-2024-21505

Severity Score

7.5

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version web3-utils - 4.2.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21505

Good to know:

Date: March 25, 2024

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?