CVE-2024-1594
Prototype Pollution vulnerability in mlflow (PyPI)
What is CVE-2024-1594 About?
This vulnerability is a Prototype Pollution flaw in versions of the 'dset' package before 3.1.4, caused by improper user input sanitization. Attackers can inject malicious properties into the JavaScript `Object.prototype`, which can impact all objects in the program. Exploitation is relatively easy, requiring control over input to the `dset` function.
Affected Software
Technical Details
The 'dset' package, in versions prior to 3.1.4, contains a Prototype Pollution vulnerability. This occurs because the dset function improperly sanitizes user input, allowing an attacker to manipulate object properties, including the built-in __proto__ property. By crafting an input that includes __proto__ or constructor.prototype as a key, an attacker can directly inject or modify properties on the global Object.prototype. Since most JavaScript objects inherit from Object.prototype, these injected properties become available to all objects across the application. This can lead to various issues, including denial of service, arbitrary code execution, or property manipulation in other parts of the application.
What is the Impact of CVE-2024-1594?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, potentially leading to remote code execution, denial of service, or unauthorized modification of application logic.
What is the Exploitability of CVE-2024-1594?
Exploitation is typically low to moderate complexity. It requires the attacker to be able to supply controlled input to the dset function within the affected JavaScript environment. No authentication or specific privileges are inherently needed, as it relies on input validation flaws. This vulnerability is usually remote, as the attacker sends crafted data (e.g., JSON, URL parameters) that is processed by the vulnerable function. The main condition is that the application must use the dset package with user-controlled input paths without adequate sanitization. The risk is elevated in Node.js applications and client-side JavaScript that processes external data using the affected library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-1594?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d396f3e
- https://github.com/mlflow/mlflow
- https://huntr.com/bounties/424b6f6b-e778-4a2b-b860-39730d396f3e
- https://nvd.nist.gov/vuln/detail/CVE-2024-1594
- https://github.com/mlflow/mlflow/blob/b929a3e727dc48a1eb19b7e954b7897ac09ad3ec/mlflow/utils/uri.py#L246
- https://osv.dev/vulnerability/GHSA-m49c-5c52-6696
What are Similar Vulnerabilities to CVE-2024-1594?
Similar Vulnerabilities: CVE-2023-50021 , CVE-2023-46233 , CVE-2023-28155 , CVE-2022-25906 , CVE-2022-25878
