CVE-2025-48054
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-48054
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48054.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-48054
- Aliases
- Published
- 2025-05-27T05:15:23Z
- Modified
- 2025-05-28T17:03:36.463554Z
- Summary
- [none]
- Details
-
Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is proto, prototype, or constructor.
- References
Affected packages
Git / github.com/radashi-org/radashi
Affected ranges
- Type
- GIT
- Repo
- https://github.com/radashi-org/radashi
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v10.*
v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.3.1
v10.3.2
v10.4.0
v10.5.0
v10.6.0
v10.7.0
v10.7.1
v10.8.1
v10.9.0
v11.*
v11.0.0
v12.*
v12.0.0
v12.1.0
v12.2.0
v12.2.0-beta.0dc9c8a
v12.2.0-beta.313bfb4
v12.2.0-beta.4aac7d7
v12.2.0-beta.5b5a0a7
v12.2.0-beta.6bdfb09
v12.2.0-beta.6fba837
v12.2.0-beta.7fb6e89
v12.2.0-beta.83909af
v12.2.0-beta.85fb266
v12.2.0-beta.8fb5382
v12.2.0-beta.a39a81e
v12.2.0-beta.af936c4
v12.2.0-beta.c090534
v12.2.0-beta.c59abfd
v12.2.0-beta.cf2d48e
v12.2.0-beta.dc9ade1
v12.2.0-beta.ef0154b
v12.2.1
v12.2.2
v12.2.3
v12.3.0
v12.3.1
v12.3.2
v12.3.3
v12.3.4
v12.4.0
v12.5.0
v7.*
v7.0.1
v7.1.0
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.1.0
v9.2.0
v9.3.0
v9.4.0
v9.4.1
v9.4.2
v9.5.0