CVE-2024-38985

Vulnerability

Overview CVE-2024-38985 describes a prototype pollution vulnerability in the JavaScript libraries depath (v1.0.6) and cool-path (v1.1.2). The flaw resides in the set() method used within setIn() at lib/index.js:90, where user-controlled input is unsafely assigned to object properties without proper validation. This allows an attacker to pollute the global Object.prototype by using special properties like __proto__ or constructor.prototype [1][2][3].

Exploitation

Details To exploit this vulnerability, an attacker can call lib.Path.setIn({}, "__proto__.polluted", true) to inject a property into the prototype chain of all objects. The attack requires no authentication or special network position, as the vulnerability can be triggered by any application that processes user-supplied paths with the setIn function [3][4]. The provided proof-of-concept demonstrates successful pollution of Object.prototype by modifying the __proto__ property [3].

Impact

Successful exploitation can lead to severe consequences, including denial of service (DoS), remote code execution (RCE), or cross-site scripting (XSS), depending on how the polluted properties are used by the application. Since prototype pollution can alter the behavior of built-in objects, it may bypass security controls, corrupt data, or enable arbitrary code execution [1][3][4].

Mitigation

Status As of this writing, no official patch has been released by the maintainer for either depath or cool-path [3][4]. Users are advised to implement input sanitization and validation, specifically blocking property names __proto__, constructor, and prototype. Additionally, using hasOwnProperty checks when assigning properties can prevent prototype pollution [4].