CRITICAL🇵🇱 Wersja polska

CVE-2024-38999

CVSS 10.0v3.1pub. 2024-07-01upd. 2026-04-15

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

🤖 AI Analysis
How it works

An attacker can inject arbitrary properties into the JavaScript object prototype through the s.contexts._.configure function. Prototype pollution involves modifying the global Object.prototype, which affects the behavior of all objects in the application. Through appropriately crafted input data, an attacker can trigger arbitrary code execution (RCE) or cause the application to crash (DoS). The vulnerability can be exploited remotely, without authentication and without user interaction.

Impact

An attacker can execute arbitrary code on the server side or in a client application using the vulnerable library, and can also completely disable its operation by triggering a Denial of Service.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to update the RequireJS library as soon as possible to a version higher than 2.3.6 and verify all project dependencies that use this library.

Who is affected

jrburke RequireJS version 2.3.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
References