FKIE_CVE-2025-57354

Vulnerability from fkie_nvd - Published: 2025-09-24 18:15 - Updated: 2025-09-26 14:32
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing.
References
cve@mitre.orghttps://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57354
cve@mitre.orghttps://github.com/martinandert/counterpart/issues/54
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability exists in the \u0027counterpart\u0027 library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library\u0027s translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library\u0027s failure to properly validate or neutralize special characters in translation key inputs before processing."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad existe en la biblioteca \u0027counterpart\u0027 para Node.js y el navegador debido a una sanitizaci\u00f3n insuficiente de la entrada controlada por el usuario en el procesamiento de claves de traducci\u00f3n. Las versiones afectadas anteriores a la 0.18.6 permiten a los atacantes manipular la funcionalidad de traducci\u00f3n de la biblioteca al proporcionar claves maliciosamente elaboradas que contienen elementos de la cadena de prototipos (por ejemplo, __proto__), lo que lleva a la contaminaci\u00f3n de prototipos. Esta vulnerabilidad permite a los adversarios inyectar propiedades arbitrarias en el prototipo de objeto de JavaScript a trav\u00e9s del primer par\u00e1metro del m\u00e9todo traducir cuando se combina con configuraciones de separador espec\u00edficas, lo que podr\u00eda resultar en condiciones de denegaci\u00f3n de servicio o ejecuci\u00f3n remota de c\u00f3digo en aplicaciones vulnerables. El problema surge del fallo de la librer\u00eda al no validar o neutralizar correctamente los caracteres especiales en las entradas de claves de traducci\u00f3n antes del procesamiento."
    }
  ],
  "id": "CVE-2025-57354",
  "lastModified": "2025-09-26T14:32:53.583",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-24T18:15:41.950",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57354"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/martinandert/counterpart/issues/54"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.