CVE-2024-36575 is a critical security vulnerability classified as Prototype Pollution found in the getsetprop JavaScript library version 1.1.0. Prototype Pollution occurs when an attacker can manipulate the prototype of a base object, thereby altering the behavior of all objects inheriting from it. In this case, the vulnerability arises through the global.accessor property, which can be exploited to inject malicious code. This flaw allows an attacker to execute arbitrary code remotely without any authentication or user interaction, making it highly dangerous. The vulnerability is linked to CWE-94, which corresponds to improper control of code generation, indicating that the injected code can be executed in the context of the vulnerable application. The CVSS 3.1 score of 9.8 reflects the vulnerability's high exploitability (network vector, low attack complexity) and severe impact on confidentiality, integrity, and availability. Although no public patches or known exploits are currently available, the threat is imminent due to the widespread use of JavaScript libraries in web applications. Attackers exploiting this vulnerability could gain full control over affected systems, leading to data breaches, service disruption, or further lateral movement within networks.

The impact of CVE-2024-36575 is severe for organizations worldwide, especially those relying on getsetprop 1.1.0 within their web applications or backend services. Successful exploitation can lead to arbitrary code execution, resulting in complete system compromise. This can cause unauthorized data access, data modification or deletion, and disruption of service availability. Attackers could deploy malware, ransomware, or use compromised systems as pivot points for further attacks within corporate networks. The vulnerability's network accessibility and lack of required privileges or user interaction increase the risk of widespread exploitation. Organizations in sectors handling sensitive data such as finance, healthcare, government, and critical infrastructure face heightened risks. Additionally, supply chain attacks could leverage this vulnerability to compromise downstream software products and services.

To mitigate CVE-2024-36575, organizations should immediately audit their software dependencies to identify usage of getsetprop 1.1.0 and upgrade to a patched version once available. In the absence of an official patch, consider temporarily removing or replacing the vulnerable library with a secure alternative. Implement strict input validation and sanitization to prevent prototype pollution attacks. Employ runtime application self-protection (RASP) and web application firewalls (WAF) configured to detect and block suspicious prototype manipulation patterns. Conduct thorough code reviews focusing on object prototype handling and global property access. Monitor application logs and network traffic for unusual behavior indicative of exploitation attempts. Educate development teams about secure coding practices related to JavaScript prototype handling. Finally, maintain an incident response plan to quickly address any detected exploitation.