Critical severity9.8NVD Advisory· Published May 20, 2024· Updated Apr 15, 2026

CVE-2024-24294

Description

A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@blackprint/enginenpm	>= 0.8.12, < 0.9.2	0.9.2

Patches

bd6b965b03c4

Fix prototype pollution

https://github.com/Blackprint/engine-jsStefansAryaMar 19, 2024via ghsa

commit

1 file changed · +6 −0

src/utils.js+6 −0 modified

@@ -8,6 +8,9 @@ function setDeepProperty(obj, path, value, onCreate){
 	for(var i = 0, n = path.length-1; i < n; i++){
 		temp = path[i];
 
+		if(temp.constructor !== String && temp.constructor !== Number)
+			throw new Error("Object field must be Number or String, but found: " + JSON.stringify(temp));
+
 		// Disallow diving into internal JavaScript property
 		if(temp === "constructor" || temp === "__proto__" || temp === "prototype")
 			return;
@@ -24,6 +27,9 @@ function setDeepProperty(obj, path, value, onCreate){
 	}
 
 	temp = path[i];
+	if(temp.constructor !== String && temp.constructor !== Number)
+		throw new Error("Object field must be Number or String, but found: " + JSON.stringify(temp));
+
 	if(temp === "constructor" || temp === "__proto__" || temp === "prototype")
 		return;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g3q2-vcjq-rgrcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24294ghsaADVISORY
gist.github.com/mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634dnvdWEB
github.com/Blackprint/engine-js/commit/bd6b965b03c467e7a58ab0cb89b9172fa5e07013ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000