VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 1, 2024· Updated Aug 2, 2024

CVE-2024-38997

CVE-2024-38997

Description

Prototype pollution in @adolph_dudu/ratio-swiper v0.0.2 via extendDefaults allows arbitrary code execution or DoS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in @adolph_dudu/ratio-swiper v0.0.2 via extendDefaults allows arbitrary code execution or DoS.

Vulnerability

Overview A prototype pollution vulnerability exists in @adolph_dudu/ratio-swiper version 0.0.2 within the extendDefaults function. The flaw allows an attacker to inject arbitrary properties into the global Object.prototype by passing a specially crafted object containing the __proto__ key [1][2][3]. This is a classic prototype pollution pattern that can have severe security implications.

Exploitation

An attacker can exploit this vulnerability by calling the extendDefaults or parse methods with a JSON object that includes "__proto__": { ... }. The provided proof-of-concept demonstrates that after such a call, the prototype of all objects is polluted, as shown by the addition of a new property to Object.prototype [3]. No authentication or special network position is required; the attack can be triggered by any code that processes user-controlled input through the vulnerable functions.

Impact

Successful exploitation can lead to multiple outcomes depending on the application context. The attacker can alter the behavior of all objects inheriting from the polluted prototype, potentially leading to Denial of Service (DoS), arbitrary code execution, or cross-site scripting (XSS) if the application uses the polluted properties in security-sensitive ways [2][3]. The CVSS v3.1 score is 6.5 (Medium) [3].

Mitigation

As of the advisory date, the vendor has not released a patch for this vulnerability. Users should consider updating to a patched version if available, or implement input sanitization to prevent __proto__ keys from being processed by the affected functions. The package may be at risk of being added to the CISA Known Exploited Vulnerabilities catalog if exploitation becomes widespread.

References
  1. GitHub - Adophlidu/swiper: Most modern mobile touch slider with hardware accelerated transitions
  2. NVD - CVE-2024-38997
  3. [CVE-2024-38997] Vulnerability Advisory: Prototype Pollution in @adolph_dudu/ratio-swiper, version <= 0.0.2

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing sanitization of `__proto__` keys in `extendDefaults` and `parse` allows prototype pollution."

Attack vector

An attacker calls the vulnerable `extendDefaults` or `parse` function with a crafted JSON payload containing the special `__proto__` property [ref_id=1]. Because the function does not sanitize or block modifications to `__proto__`, it pollutes `Object.prototype` with arbitrary properties [CWE-1321]. This can alter the behavior of all objects inheriting from that prototype, potentially leading to denial of service, remote code execution, or cross-site scripting depending on available gadgets [ref_id=1]. The attack requires no special privileges beyond the ability to supply input to the affected functions.

Affected code

The vulnerable function is `extendDefaults` in the `@adolph_dudu/ratio-swiper` package (version 0.0.2). The advisory also lists the `parse` function as an affected component [ref_id=1]. No patch files are provided in the bundle.

What the fix does

No patch is provided in the bundle. The advisory does not include remediation guidance or a fixed version [ref_id=1]. To close the vulnerability, the package should sanitize or reject any key named `__proto__` (or `constructor.prototype`) in the input objects passed to `extendDefaults` and `parse`, preventing modification of the object prototype [CWE-1321].

Preconditions

  • inputAttacker must be able to supply input to the extendDefaults or parse function of @adolph_dudu/ratio-swiper
  • authNo authentication or special privileges required

Reproduction

```javascript (async () => { const lib = await import('@adolph_dudu/ratio-swiper'); var victim = {}; console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.extendDefaults(JSON.parse('{"__proto__":{"test":123}}')); lib.parse('{"__proto__":{"test":123}}'); } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })(); ```

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.