CVE-2024-38999 requirejs v2.3.6 was discovered to contain a prototype pollution

maximthomas · web-flow · commit d68f67b8f89a · 2025-08-29T16:45:08.000+03:00
CVE-2024-38999 requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties
diff --git a/commons/selfservice/example-ui/src/main/resources/index.html b/commons/selfservice/example-ui/src/main/resources/index.html
@@ -21,7 +21,7 @@
 <div id="dialogs"></div>
 <footer id="footer" class="footer"></footer>
 
-<script data-main="main" src="libs/requirejs-2.1.14-min.js"></script>
+<script data-main="main" src="libs/requirejs-2.3.7-min.js"></script>
 
 </body>
 </html>
diff --git a/commons/selfservice/example/src/license/THIRD-PARTY.properties b/commons/selfservice/example/src/license/THIRD-PARTY.properties
@@ -28,7 +28,7 @@ org.forgerock.commons.ui.libs--i18next--1.7.3=123
 org.forgerock.commons.ui.libs--jquery--2.1.1=123
 org.forgerock.commons.ui.libs--js2form--2.0=123
 org.forgerock.commons.ui.libs--moment--2.8.1=123
-org.forgerock.commons.ui.libs--requirejs--2.1.14=123
+org.forgerock.commons.ui.libs--requirejs--2.3.7=123
 org.forgerock.commons.ui.libs--spin--2.0.1=123
 org.forgerock.commons.ui.libs--titatoggle--1.2.6=123
 org.forgerock.commons.ui.libs--xdate--0.8=123
diff --git a/ui/mock/src/main/resources/index.html b/ui/mock/src/main/resources/index.html
@@ -23,7 +23,7 @@
 <div id="dialogs"></div>
 <footer id="footer" class="footer text-muted"></footer>
 
-<script data-main="main" src="libs/requirejs-2.1.14-min.js"></script>
+<script data-main="main" src="libs/requirejs-2.3.7-min.js"></script>
 
 </body>
 </html>
diff --git a/ui/mock/src/test/qunit/index.html b/ui/mock/src/test/qunit/index.html
@@ -27,7 +27,7 @@
     <script src="../www/libs/qunit-2.20.1.js"></script>
     <script>QUnit.config.autostart = false;</script>
 
-    <script data-main="testRunner" src="../www/libs/requirejs-2.1.14-min.js"></script>
+    <script data-main="testRunner" src="../www/libs/requirejs-2.3.7-min.js"></script>
     <script>define('qunit', function () { return QUnit; });</script>
 </body>
 </html>
diff --git a/ui/pom.xml b/ui/pom.xml
@@ -229,7 +229,7 @@
             <artifactItem>
               <groupId>org.openidentityplatform.commons.ui.libs</groupId>
               <artifactId>requirejs</artifactId>
-              <version>2.1.14</version>
+              <version>2.3.7</version>
               <classifier>min</classifier>
               <packaging>js</packaging>
               <downloadUrl>https://cdnjs.cloudflare.com/ajax/libs/require.js/{version}/require.{classifier}.{packaging}</downloadUrl>
@@ -606,7 +606,7 @@
       <dependency>
         <groupId>org.openidentityplatform.commons.ui.libs</groupId>
         <artifactId>requirejs</artifactId>
-        <version>2.1.14</version>
+        <version>2.3.7</version>
         <classifier>min</classifier>
         <type>js</type>
       </dependency>
