CVE-2024-21541

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21541
Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166
https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:matthewmueller:dom-iterator:*:*:*:*:*:node.js:*:*
History

14 Jan 2025, 17:15

Type Values Removed Values Added
References
  • () https://github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805 -
  • () https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166 -
Summary All versions of the package dom-iterator are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval. Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

19 Nov 2024, 16:20

Type Values Removed Values Added
CPE cpe:2.3:a:matthewmueller:dom-iterator:*:*:*:*:*:node.js:*:*
References () https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199 - () https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199 - Exploit, Third Party Advisory
First Time Matthewmueller dom-iterator
Matthewmueller
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-94

13 Nov 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-13 05:15

Updated : 2025-01-14 17:15

NVD link : CVE-2024-21541

Mitre link : CVE-2024-21541

JSON object : View

Products Affected

matthewmueller

  • dom-iterator
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')