CVE-2024-21541
Arbitrary Code Execution vulnerability in dom-iterator (npm)
What is CVE-2024-21541 About?
This vulnerability in `dom-iterator` versions before 1.0.1 allows for arbitrary code execution due to the unsafe use of the `Function` constructor with incompletely sanitized input. An attacker can inject malicious code via controlled input that reaches the `Function` constructor, leading to the execution of arbitrary code on the server. Exploiting this flaw is relatively straightforward if user input directly influences the construction of new functions.
Affected Software
Technical Details
The vulnerability stems from the use of JavaScript's Function constructor in dom-iterator versions prior to 1.0.1. The Function constructor dynamically creates new functions from string arguments. If an application uses the dom-iterator library in a way that allows attacker-controlled input to be passed directly or indirectly as arguments to this constructor without thorough sanitization, the attacker can inject arbitrary JavaScript code. This injected code will then be executed with the privileges of the process running the JavaScript environment, leading to Arbitrary Code Execution (ACE). The risk is analogous to allowing attacker-controlled input to be evaluated by eval().
What is the Impact of CVE-2024-21541?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, privilege escalation, or denial of service.
What is the Exploitability of CVE-2024-21541?
Exploitation of this vulnerability is of low complexity. The primary prerequisite is that an attacker can provide input that is subsequently used without complete sanitization by the dom-iterator package, specifically when that input makes its way into the Function constructor. This is often a remote vulnerability, stemming from user-supplied data in web requests or other input channels. No specific authentication or privilege requirements are detailed, suggesting it could be exploited by unauthenticated users if the vulnerable code path is reachable. The risk of exploitation is significantly increased in applications that process untrusted external data and dynamically generate code or parse templates using affected library versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21541?
About the Fix from Resolved Security
This patch calls Object.freeze(node) before executing dynamically generated functions from string expressions, preventing modification of node objects during evaluation. It fixes CVE-2024-21541 by blocking attacks that exploit dynamic code generation to mutate object properties or prototype chains, thus mitigating prototype pollution and similar attacks.
Available Upgrade Options
- dom-iterator
- <1.0.1 → Upgrade to 1.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805
- https://github.com/matthewmueller/dom-iterator
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166
- https://github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805
- https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199
- https://nvd.nist.gov/vuln/detail/CVE-2024-21541
- https://osv.dev/vulnerability/GHSA-jrvm-mcxc-mf6m
- https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199
What are Similar Vulnerabilities to CVE-2024-21541?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-22965 , CVE-2021-42574 , CVE-2020-15169 , CVE-2019-10758
