ghsa-2xv9-ghh9-xc69
Vulnerability from github
Published
2025-05-27 15:03
Modified
2025-05-27 15:03
Severity ?
6.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Summary
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Details

Impact

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

Patches

The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.

Workarounds

Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.

References

  • Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
  • CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "radashi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T15:03:05Z",
    "nvd_published_at": "2025-05-27T05:15:23Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThis is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can control parts of the `path` argument to the `set` function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.\n\n### Patches\n\nThe vulnerability has been patched in commit [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66). Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, `isDangerousKey`, to prevent the use of `__proto__`, `prototype`, or `constructor` as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a `null` prototype.\n\n### Workarounds\n\nUsers on older versions can mitigate this vulnerability by sanitizing the `path` argument provided to the `set` function to ensure that no part of the path string is `__proto__`, `prototype`, or `constructor`. For example, by checking each segment of the path before passing it to the `set` function.\n\n### References\n\n- Git commit: [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66)\n- CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes (\u0027Prototype Pollution\u0027): https://cwe.mitre.org/data/definitions/1321.html",
  "id": "GHSA-2xv9-ghh9-xc69",
  "modified": "2025-05-27T15:03:05Z",
  "published": "2025-05-27T15:03:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/radashi-org/radashi/security/advisories/GHSA-2xv9-ghh9-xc69"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48054"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/radashi-org/radashi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "radashi Allows Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.