External risk intelligence

Prototype Pollution in chargeover redoc allows arbitrary code execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-39011

A prototype pollution vulnerability in chargeover redoc's `mergeObjects` function allows for arbitrary code execution or denial of service. This affects systems using the affected software, potentially leading to broader impacts. Confirming its use and exposure is crucial to assessing risk.

3Halo Surface Signal

Denial of Service

Chargeover\/redoc

2.0.9

External exposure likelihood

Halo Surface Signal score for CVE-2024-39011

The vulnerability exists in a Node.js package (chargeover/redoc) used for documentation rendering. While such tools are often used in web applications that may be internet-facing, they are frequently integrated as internal developer tools, build-time dependencies, or documentation portals not consistently exposed to the public internet.

PCI scan relevance

PCI Relevance for CVE-2024-39011

Yes

CVE-2024-39011 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability, a Prototype Pollution in chargeover redoc, allows arbitrary code execution and denial of service, which are conditions that typically lead to an automatic failure in PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A prototype pollution vulnerability has been identified in the chargeover redoc software. This flaw could allow an attacker to execute arbitrary code or disrupt services, leading to broader system impacts. The main concern is to confirm whether this specific software is in use and if it is exposed in a way that presents a risk.

Flaw in documentation software could allow code execution.
Matters if internal or external systems use this tool.
Confirm use and exposure to assess risk.

Attack Path

How an attacker could exploit the issue

An attacker could target a system that exposes the vulnerable `chargeover/redoc` component. By sending specially crafted input, they can exploit a prototype pollution vulnerability in the `mergeObjects` function. This could lead to the execution of arbitrary code, denial of service, or other unintended consequences.

Requires network access to the exposed component.
Triggered by malicious input to `mergeObjects`.
Risk of code execution or denial of service.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, a Prototype Pollution in chargeover redoc, could affect the service's behavior by allowing arbitrary code execution or denial of service when the `mergeObjects` function is utilized. This could impact the availability and integrity of the service.

Service behavior and availability.
Via the `mergeObjects` function.
Potential for code execution or denial of service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in chargeover/redoc requires immediate attention from teams responsible for application development and infrastructure. The initial step is to pinpoint all instances of the affected technology, assess their exposure and business criticality, and identify the accountable system owner to plan a risk-based remediation strategy.

Application owners and infrastructure teams.
Verify where chargeover/redoc is deployed.
Plan remediation based on identified risk.

Frequently asked questions

What is chargeover/redoc?

chargeover/redoc is a software package built for the Node.js environment, primarily designed for rendering documentation. Developers often incorporate it into web applications, build pipelines, or internal portals to display technical information clearly.

How does CVE-2024-39011 work?

This vulnerability is a Prototype Pollution flaw, classified as CWE-1321. It occurs within the 'mergeObjects' function when the software incorrectly handles object properties. Because the function fails to sanitize input properly, an attacker can inject malicious code, potentially forcing the application to execute unauthorized commands or crashing the service entirely.

Do I need specific inputs to trigger this bug?

Yes, an attacker must send specially crafted data to the 'mergeObjects' function to trigger the vulnerability. Simply using the software in a standard way does not cause the issue. The flaw is only activated when the component processes malicious input designed to pollute the prototype chain of objects.

Is my system at risk if it uses chargeover/redoc?

Risk depends on how the tool is deployed. According to Halo Surface Signal, while this package is often found in internet-facing web applications, it is also frequently used for internal-only tasks, such as developer tools or documentation sites not accessible to the public. You should determine if your instance of this component is reachable from outside your network.

When should I prioritize fixing this?

Given the severity of potential code execution, you should prioritize this by first locating every instance of the software within your infrastructure. Identify which systems are critical and which are exposed to the network, then work with the accountable system owners to schedule and apply necessary updates or configuration changes.

References

gist.github.com/mestrtee/693ef1c8b0a5ff1ae19f253381711f3e

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.