CVE-2024-57068: @tanstack/form-core prototype pollution

February 6, 2025 (updated February 20, 2025)

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

References

gist.github.com/tariqhawis/47fe5b1e584e9e573c0933588248d533
github.com/TanStack/form
github.com/TanStack/form/commit/455522c8f3272787668f3d1afd6adbc6dc1b9e8a
github.com/TanStack/form/pull/1151
github.com/advisories/GHSA-ggv3-vmgw-xv2q
nvd.nist.gov/vuln/detail/CVE-2024-57068

Detect and mitigate CVE-2024-57068 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →