CVE-2024-21505

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-21505

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21505.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21505

Aliases

GHSA-2g4c-8fpm-c46v

Published

2024-03-25T05:15:50.663Z

Modified

2026-02-05T09:35:02.879214Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

References

Affected packages

Git / github.com/web3/web3.js

Affected ranges

Type: GIT
Repo: https://github.com/web3/web3.js
Events: Fixed

8ed041c6635d807b3da8960ad49e125e3d1b0e80

Introduced

0cb67d7b306d8c159d1db7fd0e0d58a294017913

Fixed

8ed041c6635d807b3da8960ad49e125e3d1b0e80

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21505.json"