CVE-2025-48054

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-48054
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48054.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-48054
Aliases
Published
2025-05-27T05:15:23Z
Modified
2025-05-28T17:03:36.463554Z
Summary
[none]
Details

Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is proto, prototype, or constructor.

References

Affected packages

Git / github.com/radashi-org/radashi

Affected ranges

Type
GIT
Repo
https://github.com/radashi-org/radashi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.3.1
v10.3.2
v10.4.0
v10.5.0
v10.6.0
v10.7.0
v10.7.1
v10.8.1
v10.9.0

v11.*

v11.0.0

v12.*

v12.0.0
v12.1.0
v12.2.0
v12.2.0-beta.0dc9c8a
v12.2.0-beta.313bfb4
v12.2.0-beta.4aac7d7
v12.2.0-beta.5b5a0a7
v12.2.0-beta.6bdfb09
v12.2.0-beta.6fba837
v12.2.0-beta.7fb6e89
v12.2.0-beta.83909af
v12.2.0-beta.85fb266
v12.2.0-beta.8fb5382
v12.2.0-beta.a39a81e
v12.2.0-beta.af936c4
v12.2.0-beta.c090534
v12.2.0-beta.c59abfd
v12.2.0-beta.cf2d48e
v12.2.0-beta.dc9ade1
v12.2.0-beta.ef0154b
v12.2.1
v12.2.2
v12.2.3
v12.3.0
v12.3.1
v12.3.2
v12.3.3
v12.3.4
v12.4.0
v12.5.0

v7.*

v7.0.1
v7.1.0

v8.*

v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0

v9.*

v9.0.0
v9.0.1
v9.0.2
v9.1.0
v9.2.0
v9.3.0
v9.4.0
v9.4.1
v9.4.2
v9.5.0