CVE-2025-48054
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
描述
### Impact This is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can control parts of the `path` argument to the `set` function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. ### Patches The vulnerability has been patched in commit [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66). Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, `isDangerousKey`, to prevent the use of `__proto__`, `prototype`, or `constructor` as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a `null` prototype. ### Workarounds Users on older versions can mitigate this vulnerability by sanitizing the `path` argument provided to the `set` function to ensure that no part of the path string is `__proto__`, `prototype`, or `constructor`. For example, by checking each segment of the path before passing it to the `set` function. ### References - Git commit: [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66) - CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
如何修補 CVE-2025-48054
要修補 CVE-2025-48054,請將受影響套件升級到下列已修補版本。
- —升級至 12.5.1 或更新版本
CVE-2025-48054 正在被利用嗎?
低 — EPSS 為 2.9%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 12.5.1