VYPR
← All advisories
Medium severity5.0OSV Advisory· Published Jan 7, 2026· Updated Apr 15, 2026

CVE-2024-14020

CVE-2024-14020

Description

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue".

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
carbonenpm
< 3.5.63.5.6

Affected products

1

Patches

2
04f9feb24bfc

Security fix: Removed the possibility of prototype pollution in formatters.

https://github.com/carboneio/carboneDavid GrelaudJun 12, 2024via ghsa
commit
3 files changed · +18 1
  • CHANGELOG.md+3 0 modified
    @@ -1,4 +1,7 @@
 
+### v3.5.6
+  - Security fix: Removed the possibility of prototype pollution in formatters. This can only occur if the parent NodeJS application has the same security issue. CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.
+
 ### v3.5.5
   - Release February 15th 2023
   - Bump dependencies
  • lib/input.js+1 1 modified
    @@ -2,7 +2,7 @@ const params = require('./params');
 const format = require('./format');
 const parser = require('./parser');
 const locale = require('../formatters/_locale.js');
-const formatters = {};
+const formatters = Object.create(null); // Remove  __proto__ and constructor attributes. Mitigates prototype pollution attacks.
 
 /**
  * Parse options coming from user-side. Clean it and generate a safe options object for internal use
  • test/test.carbone.js+14 0 modified
    @@ -252,6 +252,20 @@ describe('Carbone', function () {
       assert.notEqual(typeof input.formatters.yesOrNo, 'undefined');
       assert.equal(input.formatters.yesOrNo(true), 'yes');
     });
+    it('should not be able to inject code with prototype pollution of formatters', function (done) {
+      const _injectedCode = 'a;process.exit.call`-1`;//';
+      new Object()['__proto__'][_injectedCode] = 1;
+      Object.defineProperty(new Object()['__proto__'], _injectedCode, {
+        enumerable:false, // otherwhise it crashes elsewhere in the code (each time there is a loop on object)
+      });
+      const _xml = '<xml> {d.age:'+_injectedCode+'(3)} </xml>';
+      const _data = { age : '1' };
+      carbone.renderXML(_xml, _data, function (err, result) {
+        helper.assert(err+'', 'Error: Formatter \"a;process.exit.call`-1`;//\" does not exist. Do you mean \"and\"?');
+        helper.assert(result, null);
+        done();
+      });
+    });
   });
1fd53082230a
https://github.com/carboneio/carbonevia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.