Back to Home

Vulnerable Components

A06:2021 - Outdated dependencies

What are Vulnerable Components?

Using components (libraries, frameworks, software modules) with known security vulnerabilities. This includes outdated dependencies with published CVEs.

Common Risks:

  • Prototype pollution in lodash/underscore
  • Remote code execution in outdated frameworks
  • DoS via regex in validation libraries
  • XSS in jQuery and other client-side libraries
  • Known CVEs with public exploits

Before WAF: Vulnerable

Without Cloudflare WAF, vulnerable dependencies can be exploited

Step 1: Exploit Prototype Pollution

# View vulnerable package versions
/api/vulnerable-components

# Exploit CVE-2019-10744 - Prototype Pollution in lodash
POST /api/vulnerable-components
{"__proto__": {"isAdmin": true}}

Vulnerability: Outdated lodash allows prototype pollution attacks.

After WAF: Protected

With Cloudflare WAF, known CVE exploit patterns are blocked

Enable Cloudflare Protection:

  1. Go to Cloudflare Dashboard → Security → WAF
  2. Enable "Cloudflare Managed Ruleset"
  3. Enable rules for prototype pollution attacks
  4. Monitor for CVE exploit patterns

Result: Known CVE exploit patterns are blocked at the edge.

Cloudflare Protection

  • CVE Detection: Block known vulnerability exploits
  • Prototype Pollution: Detect and block __proto__ attacks
  • API Shield: Anomalous API behavior detection