Home > Vulnerability Database > CVE-2024-32866

Mend.io Vulnerability Database

CVE-2024-32866

Good to know:

Date: April 23, 2024

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.

Language: TYPE_SCRIPT

Severity Score

8.6

Related Resources (7)

Url: https://github.com/edmundhung/conform

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32866

Url: https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de

Url: https://github.com/edmundhung/conform/commit/cb604dd58b99e2d12716d901a23bfca724e741ef

Url: https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117

Url: https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf

Url: https://www.mend.io/vulnerability-database/CVE-2024-32866

Severity Score

8.6

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version @conform-to/zod - 1.1.1, @conform-to/yup - 1.1.1, @conform-to/dom - 1.1.1

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32866

Good to know:

Date: April 23, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?