CVE-2025-57351

{"id": "CVE-2025-57351", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-09-24T19:15:40.363", "references": [{"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351", "source": "cve@mitre.org"}, {"url": "https://github.com/tangshuang/ts-fns/issues/36", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version."}, {"lang": "es", "value": "Existe una vulnerabilidad de Contaminaci\u00f3n de Prototipos en las versiones del paquete ts-fns anteriores a la 13.0.7, donde una validaci\u00f3n insuficiente de las claves proporcionadas por el usuario en la funci\u00f3n assign permite a los atacantes manipular la cadena Object.prototype. Al explotar esta falla, los adversarios pueden inyectar propiedades arbitrarias en el prototipo del objeto global, lo que podr\u00eda llevar a ca\u00eddas de la aplicaci\u00f3n, comportamientos inesperados de ejecuci\u00f3n de c\u00f3digo o omisi\u00f3n de l\u00f3gicas de validaci\u00f3n cr\u00edticas para la seguridad dependientes de la integridad del prototipo. La vulnerabilidad se origina en un manejo inadecuado de las operaciones de asignaci\u00f3n de propiedades profundas dentro de las funciones de la API p\u00fablica de la biblioteca. Este problema sigue sin resolverse en la \u00faltima versi\u00f3n disponible."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cve@mitre.org"}