CVE-2024-21505

Name of the Vulnerable Software and Affected Versions web3-utils versions prior to 4.2.1

Description The issue concerns Prototype Pollution via the utility functions format and mergeDeep due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Recommendations For versions prior to 4.2.1, upgrade to web3-utils version 4.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of the mergeDeep() function until the upgrade is applied. Additionally, be cautious when using the format function with untrusted input to minimize the risk of exploitation.