VYPR
← All advisories
High severityNVD Advisory· Published Jul 1, 2024· Updated Aug 2, 2024

CVE-2024-38994

CVE-2024-38994

Description

amoy common v1.0.10 has a prototype pollution vulnerability in the extend function, enabling denial of service or remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

amoy common v1.0.10 has a prototype pollution vulnerability in the extend function, enabling denial of service or remote code execution.

Vulnerability

Description CVE-2024-38994 is a prototype pollution vulnerability in the @amoy/common package version 1.0.10. The flaw resides in the extend function, which does not properly sanitize the __proto__ property, allowing an attacker to pollute the base object prototype by injecting arbitrary properties [1][2].

Attack

Vector An attacker can exploit this by calling the vulnerable extend function with a carefully crafted object containing __proto__ as a key. This can be achieved without authentication, as the function is exposed to user inputs. The provided proof-of-concept demonstrates that after the attack, all objects inherit the polluted property, potentially leading to denial of service, remote code execution, or cross-site scripting depending on the application's gadgets [2].

Impact

Successful exploitation allows an attacker to add or modify properties of the global Object.prototype, affecting all objects in the runtime. This can lead to unexpected behavior, denial of service crashes, or arbitrary code execution if the polluted properties are used in security-sensitive operations [1][2].

Mitigation

As of the advisory date, no official patch has been released for version 1.0.10. Users are advised to avoid using untrusted inputs with the extend function, implement input filtering for __proto__ and constructor.prototype keys, or consider alternative libraries. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2024-38994
  2. [CVE-2024-38994] Vulnerability Advisory: Prototype Pollution in @amoy/common, version 1.0.10

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation in the `extend` and `setValue` functions allows the `__proto__` property to be used for prototype pollution."

Attack vector

An attacker calls the `extend` or `setValue` function with a crafted object containing the special `__proto__` property [ref_id=1]. This pollutes `Object.prototype`, injecting arbitrary properties that are inherited by all objects in the runtime [CWE-1321]. The attacker can then leverage existing gadgets (e.g., property lookups in templates, configuration merging) to achieve denial of service, remote code execution, or cross-site scripting, depending on the application's use of polluted properties [ref_id=1].

Affected code

The vulnerable functions are `extend` and `setValue` in the `@amoy/common` package version 1.0.10 [ref_id=1]. These functions do not prevent modification of the `__proto__` property when merging or setting values on objects.

What the fix does

No patch is published in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close the vulnerability, the `extend` and `setValue` functions should filter out or reject keys that are `__proto__`, `constructor`, or `prototype` before performing object assignment or merging.

Preconditions

  • inputThe application must use the vulnerable @amoy/common v1.0.10 library and call the extend or setValue function with attacker-controlled input.
  • authNo authentication is required; the attacker only needs to supply a crafted JSON payload to the vulnerable function.

Reproduction

(async () => { const lib = await import('@amoy/common'); var victim = {} console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.extend(emptyObj, JSON.parse('{"__proto__":{"test":123}}')); lib.setValue(emptyObj, "__proto__.test", 123); } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })();

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.