Home

Description

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue".

PUBLISHED Reserved 2026-01-04 | Published 2026-01-07 | Updated 2026-02-23 | Assigner VulDB




LOW: 2.3CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 5.0CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
MEDIUM: 5.0CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
4.6AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Problem types

Improperly Controlled Modification of Object Prototype Attributes

Code Injection

Product status

fbcd349077ad0e8748be73eab2a82ea92b6f8a7e
affected

3.5.6
unaffected

Timeline

2024-06-12:Advisory disclosed
2024-06-12:Countermeasure disclosed
2026-01-04:VulDB entry created
2026-01-07:VulDB entry last update

Credits

VulDB GitHub Commit Analyzer tool

References

vuldb.com/?id.339503 (VDB-339503 | carboneio carbone Formatter input.js prototype pollution) vdb-entry technical-description

vuldb.com/?ctiid.339503 (VDB-339503 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

github.com/...ommit/04f9feb24bfca23567706392f9ad2c53bbe4134e patch

github.com/carboneio/carbone/releases/tag/3.5.6 patch

github.com/carboneio/carbone/ product

cve.org (CVE-2024-14020)

nvd.nist.gov (CVE-2024-14020)

Download JSON