High severity7.5NVD Advisory· Published Feb 5, 2025· Updated Apr 15, 2026
CVE-2024-57075
CVE-2024-57075
Description
A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
eazy-loggernpm | < 4.1.0 | 4.1.0 |
Patches
1a8baa6fe441dReslove CVE-2024-57075 with and add a test.
2 files changed · +29 −1
index.js+11 −1 modified@@ -66,7 +66,17 @@ var Logger = function(config) { config = config || {}; this._mute = false; - this.config = _.merge({}, defaults, config); + var safeConfig = {}; + for (var attr in config) { + if (!config.hasOwnProperty(attr)) { + continue; + } + if (attr === "__proto__" || attr === "constructor" || attr === "prototype") { + continue; + } + safeConfig[attr] = config[attr]; + } + this.config = _.merge({}, defaults, safeConfig); this.addLevelMethods(this.config.levels); this._memo = {};
test/log.js+18 −0 modified@@ -308,4 +308,22 @@ describe("Logging", function(){ assert.equal(actual, expected); }); + + it("should handle prototype pollution attempts safely", function () { + const lib = easyLogger; + console.log("Before Attack: ", JSON.stringify( Object.getPrototypeOf({}))); + + try { + // for multiple functions, uncomment only one for each execution. + lib.Logger(JSON.parse("{\"__proto__\":{\"pollutedKey\":123}}")); + } catch (e) { + } + + console.log("After Attack: ", JSON.stringify(Object.getPrototypeOf({}))); + + assert.notProperty(Object.prototype, "pollutedKey", "Prototype pollution occurred"); + + // Cleanup if any property was added + delete Object.prototype.pollutedKey; + }); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.