Redoc Prototype Pollution via `Module.mergeObjects` Component

Description

A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Recommendation

Update the redoc package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.4.0
• Patched version(s): 2.4.0

References

• GHSA-9rhg-254w-fh9x
• CVE-2024-57083
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• jsonic was discovered to contain a prototype pollution via the function empty. - CVE-2024-38993
• Prototype pollution in ag-grid-community via the _.mergeDeep function - CVE-2024-38996
• Prototype pollution in ag-grid-community via the _.mergeDeep function - ag-grid-enterprise - CVE-2024-38996
• Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

redoc