CVE-2024-21505

HIGH

web3-utils < 4.2.1 - Prototype Pollution via Format and MergeDeep Utility Functions

Title source: llm

Description

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

References (2)

Core 2

Core References

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337

Patch

https://github.com/web3/web3.js/commit/8ed041c6635d807b3da8960ad49e125e3d1b0e80

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0071

EPSS Percentile 48.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

n/a/web3-utils < 4.2.1

npm/web3-utils 4.0.1 - 4.2.1npm

Published Mar 25, 2024

Tracked Since Feb 18, 2026