Critical severity9.8NVD Advisory· Published Jun 17, 2024· Updated Apr 15, 2026
CVE-2024-36573
CVE-2024-36573
Description
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@almela/obxnpm | < 0.0.4 | 0.0.4 |
Patches
1984ad92dc067fixed prototype polution
2 files changed · +43 −0
src/index.js+3 −0 modified@@ -1,3 +1,6 @@ +/* prevent prototype polution */ +Object.freeze(Object.prototype) + /* type checker */ const t = (d) => d instanceof Function
src/index.test.js+40 −0 modified@@ -1204,3 +1204,43 @@ describe("add", () => { expect(obx.eq(a, res)).toBe(true); }); }); + +describe("prototype polution", () => { + const BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}'); + + test("add", () => { + const victim = {}; + + try { + obx.add({}, BAD_JSON); + } catch (e) { } + + expect(Object.keys(victim.__proto__).length).toBe(0); + + delete Object.prototype.polluted; + }); + + test("cp", () => { + const victim = {}; + + try { + obx.cp({ "__proto__.polluted": true }); + } catch (e) { } + + expect(Object.keys(victim.__proto__).length).toBe(0); + + delete Object.prototype.polluted; + }) + + test("set", () => { + const victim = {}; + + try { + obx.set({}, "__proto__.polluted", true); + } catch (e) { } + + expect(Object.keys(victim.__proto__).length).toBe(0); + + delete Object.prototype.polluted; + }) +});
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.