Lucene search

GitHub_MCVELIST:CVE-2024-32866

HistoryApr 23, 2024 - 9:07 p.m.

CVE-2024-32866 Conform contains Prototype Pollution Vulnerability in `parseWith...` function

2024-04-2321:07:06

CWE-1321

GitHub_M

www.cve.org

conform library

prototype pollution

parsewith function

version 1.1.1

server-side validation

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to parseWith... functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.

CNA Affected

[
  {
    "vendor": "edmundhung",
    "product": "conform",
    "versions": [
      {
        "version": "< 1.1.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117

github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de

github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for CVELIST:CVE-2024-32866