Prototype Pollution vulnerability in SAP HANA Client
Description
CVE-2024-45277: Prototype Pollution in SAP HANA Node.js client (2.0.0 before 2.21.31) via nestTables feature allows attackers to add properties to global objects, causing low availability impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-45277: Prototype Pollution in SAP HANA Node.js client (2.0.0 before 2.21.31) via nestTables feature allows attackers to add properties to global objects, causing low availability impact.
Vulnerability
Overview
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 contain a Prototype Pollution vulnerability. This arises from improper sanitization of user input when the nestTables feature is used [1]. Prototype pollution occurs when an attacker can inject properties into the Object.prototype of JavaScript, affecting all objects of that type in the application runtime.
Exploitation
An attacker can provide specially crafted input designed to pollute the global object prototype. The attack does not require high privileges; it exploits the lack of input validation in the module's handling of nested table results. The vulnerability is reachable through any code path that uses the nestTables option with untrusted data [1].
Impact
Successful exploitation allows the attacker to add arbitrary properties to global object prototypes. According to the vendor, this leads to a low impact on availability. The confidentiality and integrity of the system are not affected [1]. This type of attack can potentially cause application-level denial of service or unexpected behavior due to polluted objects.
Mitigation
The issue is fixed in version 2.21.31 of the @sap/hana-client package. Users should upgrade to this version or later. The fix is included in SAP's regular Security Patch Day cycle [2]. No workarounds have been published; updating the dependency is the recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@sap/hana-clientnpm | >= 2.0.0, < 2.21.31 | 2.21.31 |
Affected products
2- Range: HDB_CLIENT 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6339-gv7w-g5f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45277ghsaADVISORY
- me.sap.com/notes/3520100ghsaWEB
- url.sap/sapsecuritypatchdayghsaWEB
- www.npmjs.com/package/@sap/hana-clientghsaWEB
News mentions
0No linked articles in our index yet.