CVE-2024-57075

Name of the Vulnerable Software and Affected Versions: eazy-logger version 4.0.1

Description: A prototype pollution in the lib.Logger function allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. This can be achieved by introducing or modifying properties within the global prototype chain, with the minimum consequence being a denial of service. The consequences of this issue can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs, it could enable an attacker to execute arbitrary commands within the application's context.

Recommendations: As a temporary workaround, consider disabling the lib.Logger function until a patch is available. Restrict access to the Object.prototype setter to minimize the risk of exploitation. Avoid using the JSON.parse function with untrusted input in the affected lib.Logger function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.