CRITICAL🇵🇱 Wersja polska

CVE-2024-39008

CVSS 10.0v3.1pub. 2024-07-01upd. 2026-04-15

robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

🤖 AI Analysis
How it works

An attacker can inject arbitrary properties into the JavaScript object prototype through the vulnerable objectMergeDeep function. The prototype pollution mechanism works by manipulating the __proto__ or constructor property of an object, which leads to contamination of the global prototype and affects the behavior of all objects in the application. This allows for arbitrary code execution or disruption of application functionality.

Impact

An attacker can remotely execute arbitrary code on the server (RCE) or cause denial of service (DoS) by injecting malicious properties into the prototype. Due to the network-based nature of the attack (without requiring privileges and user interaction) and full impact on confidentiality, integrity, and availability, the consequences may include complete system compromise.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to update the fast-loops library to a version higher than 1.1.3 and verify all locations in the application code where the objectMergeDeep function is used with external data.

Who is affected

robinweser fast-loops library version 1.1.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
References