CVE-2024-39011 in redocinfo

Summary

by MITRE • 07/30/2024

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/15/2026

The vulnerability CVE-2024-39011 represents a critical prototype pollution issue discovered in the chargeover redoc library version 2.0.9-rc.69. This flaw resides within the mergeObjects function which is responsible for combining object properties during the documentation generation process. The vulnerability stems from inadequate input validation and sanitization mechanisms that fail to properly handle maliciously crafted object prototypes during the merging operation. When an attacker provides specially constructed input data that contains prototype pollution vectors, the mergeObjects function inadvertently modifies the Object.prototype properties, which can lead to unexpected behavior across the entire application.

The technical implementation of this vulnerability follows a classic prototype pollution pattern where attacker-controlled data flows into the mergeObjects function without proper sanitization. The function processes object merging operations by iterating through source objects and copying their properties to target objects. However, when prototype properties are present in the source objects, these properties get copied to the target object's prototype chain, effectively polluting the global Object.prototype. This contamination can occur recursively through nested object structures and can be exploited to manipulate the behavior of all objects in the JavaScript runtime environment.

The operational impact of this vulnerability extends beyond simple denial of service conditions to include potential arbitrary code execution capabilities. When prototype pollution occurs in a web application context, attackers can leverage this vulnerability to manipulate object behavior, inject malicious code into the application's execution flow, or cause unpredictable application behavior. The DoS aspect manifests when the polluted prototype properties cause infinite loops or stack overflows during object property access operations. Additionally, the vulnerability can enable attackers to bypass security controls, manipulate application logic, or perform other malicious activities that compromise the integrity and availability of the affected system.

This vulnerability aligns with CWE-471 which specifically addresses the issue of prototype pollution in software applications. The attack pattern follows the typical MITRE ATT&CK framework category of T1211 - Exploitation for Privilege Escalation, where attackers leverage application flaws to gain elevated privileges or execute unauthorized code. The vulnerability is particularly dangerous in web applications where user input flows through the documentation generation process, as it can be exploited through various attack vectors including API endpoints, configuration files, or user-supplied documentation data.

Mitigation strategies for CVE-2024-39011 should prioritize immediate patching of the chargeover redoc library to a version that addresses the prototype pollution vulnerability in the mergeObjects function. Organizations should implement comprehensive input validation and sanitization measures to prevent malicious prototype properties from entering the application through user-supplied data. Additional defensive measures include implementing prototype pollution detection mechanisms, using secure coding practices that avoid direct object merging operations with untrusted input, and employing runtime protections such as prototype lockdown features in modern JavaScript environments. Regular security assessments and dependency audits should be conducted to identify and remediate similar vulnerabilities across the application stack, ensuring that all third-party libraries are kept up to date with the latest security patches.

Responsible

MITRE

Reservation

06/21/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00912

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!