CVE-2024-21505 — web3-utils Prototype Pollution vulnerability

Description

### Impact: The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object's prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function. ### Patches: It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1. ### Workarounds: None

How to fix CVE-2024-21505

To remediate CVE-2024-21505, upgrade the affected package to a fixed version below.

—upgrade to 4.2.1 or later

Is CVE-2024-21505 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.1, < 4.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21505
PATCHgithub.com/web3/web3.js
WEBgithub.com/web3/web3.js/commit/8ed041c6635d807b3da8960ad49e125e3d1b0e80
WEBgithub.com/web3/web3.js/security/advisories/GHSA-2g4c-8fpm-c46v