CVE-2024-21505

HIGH

NPM Web3-utils < 4.2.1 - Prototype Pollution

Title source: rule

Description

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

References (2)

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337

[Patch] https://github.com/web3/web3.js/commit/8ed041c6635d807b3da8960ad49e125e3d1b0e80

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0010

EPSS Percentile 28.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

n/a/web3-utils < 4.2.1

npm/web3-utils 4.0.1 - 4.2.1npm

Published Mar 25, 2024

Tracked Since Feb 18, 2026