High severity7.5NVD Advisory· Published Mar 25, 2024· Updated Apr 15, 2026
CVE-2024-21505
CVE-2024-21505
Description
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
web3-utilsnpm | >= 4.0.1, < 4.2.1 | 4.2.1 |
Patches
22 files changed · +2 −2
packages/web3-utils/src/index.ts+1 −1 modified@@ -33,4 +33,4 @@ export * from './web3_eip1193_provider.js'; export * from './socket_provider.js'; export * from './uint8array.js'; // for backwards compatibility with v1 -export {AbiItem} from 'web3-types'; \ No newline at end of file +export { AbiItem } from 'web3-types';
packages/web3-utils/src/objects.ts+1 −1 modified@@ -36,7 +36,7 @@ export const mergeDeep = ( destination: Record<string, unknown>, ...sources: Record<string, unknown>[] ): Record<string, unknown> => { - const result = destination; // clone deep here + const result = { ...destination }; // clone deep here if (!isIterable(result)) { return result; }
a6c6dec9fef0Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2g4c-8fpm-c46vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21505ghsaADVISORY
- github.com/web3/web3.js/commit/8ed041c6635d807b3da8960ad49e125e3d1b0e80nvdWEB
- github.com/web3/web3.js/security/advisories/GHSA-2g4c-8fpm-c46vghsaWEB
- security.snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337nvdWEB
News mentions
0No linked articles in our index yet.