Total
407 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3193 | 1 Algolia | 1 Algoliasearch-helper | 2025-10-03 | N/A | 5.9 MEDIUM |
| Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users. | |||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 9.9 CRITICAL |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | |||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 9.1 CRITICAL |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | |||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 8.7 HIGH |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | |||||
| CVE-2025-57349 | 2025-09-29 | N/A | 7.5 HIGH | ||
| The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component. | |||||
| CVE-2025-57330 | 2025-09-29 | N/A | 7.5 HIGH | ||
| The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57328 | 2025-09-29 | N/A | 7.5 HIGH | ||
| toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57347 | 2025-09-26 | N/A | 9.8 CRITICAL | ||
| A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure. | |||||
| CVE-2025-57329 | 2025-09-26 | N/A | 7.5 HIGH | ||
| web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57327 | 2025-09-26 | N/A | 7.5 HIGH | ||
| spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57326 | 2025-09-26 | N/A | 7.5 HIGH | ||
| A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57325 | 2025-09-26 | N/A | 7.5 HIGH | ||
| rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57321 | 2025-09-26 | N/A | 9.8 CRITICAL | ||
| A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57353 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
| The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version. | |||||
| CVE-2025-26278 | 2025-09-26 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2025-57320 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
| json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57351 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
| A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version. | |||||
| CVE-2025-57348 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
| The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date. | |||||
| CVE-2025-57323 | 2025-09-26 | N/A | 7.5 HIGH | ||
| mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57318 | 2025-09-26 | N/A | 7.5 HIGH | ||
| A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||