Primary

Context

Progress Telerik KendoReact Prototype Pollution Vulnerability Allowing Denial-of-Service or Command Injection

Vulnerability

Patched

A vulnerability exists in Progress Telerik KendoReact versions 3.5.0 prior to 9.4.0, allowing attackers to introduce or modify properties within the global prototype chain. This manipulation can lead to denial-of-service conditions or command injection vulnerabilities.

Impact

Exploitation of this vulnerability can cause denial-of-service conditions or allow for command injection.

Remediation

Users are advised to update to Progress Telerik KendoReact version 9.4.0 or later. The updated packages are available via npm. For version 9.4.0 update instructions, refer to the KendoReact installation documentation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Progress Telerik KendoReact Prototype Pollution Vulnerability Allowing Denial-of-Service or Command Injection

Vulnerability

Impact

Remediation

Affected Products

Progress Telerik KendoReact

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating