GHSA-2xv9-ghh9-xc69

Suggest an improvement
Source
https://github.com/advisories/GHSA-2xv9-ghh9-xc69
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2xv9-ghh9-xc69/GHSA-2xv9-ghh9-xc69.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2xv9-ghh9-xc69
Aliases
Published
2025-05-27T15:03:05Z
Modified
2025-05-27T15:42:42.473555Z
Severity
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Details

Impact

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

Patches

The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.

Workarounds

Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.

References

  • Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
  • CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
Database specific
{
    "github_reviewed": true,
    "nvd_published_at": "2025-05-27T05:15:23Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-05-27T15:03:05Z"
}
References

Affected packages

npm / radashi

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.5.1