FKIE_CVE-2025-57351

Vulnerability from fkie_nvd - Published: 2025-09-24 19:15 - Updated: 2025-09-26 14:32
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.
References
cve@mitre.orghttps://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351
cve@mitre.orghttps://github.com/tangshuang/ts-fns/issues/36
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object\u0027s prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library\u0027s public API functions. This issue remains unaddressed in the latest available version."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Contaminaci\u00f3n de Prototipos en las versiones del paquete ts-fns anteriores a la 13.0.7, donde una validaci\u00f3n insuficiente de las claves proporcionadas por el usuario en la funci\u00f3n assign permite a los atacantes manipular la cadena Object.prototype. Al explotar esta falla, los adversarios pueden inyectar propiedades arbitrarias en el prototipo del objeto global, lo que podr\u00eda llevar a ca\u00eddas de la aplicaci\u00f3n, comportamientos inesperados de ejecuci\u00f3n de c\u00f3digo o omisi\u00f3n de l\u00f3gicas de validaci\u00f3n cr\u00edticas para la seguridad dependientes de la integridad del prototipo. La vulnerabilidad se origina en un manejo inadecuado de las operaciones de asignaci\u00f3n de propiedades profundas dentro de las funciones de la API p\u00fablica de la biblioteca. Este problema sigue sin resolverse en la \u00faltima versi\u00f3n disponible."
    }
  ],
  "id": "CVE-2025-57351",
  "lastModified": "2025-09-26T14:32:53.583",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-24T19:15:40.363",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/tangshuang/ts-fns/issues/36"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.