CVE-2024-32866

2024-04-2321:15:48

CWE-1321

[email protected]

web.nvd.nist.gov

conform library

form validation

nested objects

prototype pollution

server-side validation

vulnerability

patch

cve-2024-32866

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.0004 Low

EPSS

Percentile

15.5%

JSON

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to parseWith... functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.