GHSA-2xv9-ghh9-xc69

Source

https://github.com/advisories/GHSA-2xv9-ghh9-xc69

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2xv9-ghh9-xc69/GHSA-2xv9-ghh9-xc69.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-2xv9-ghh9-xc69

Aliases

CVE-2025-48054

Published

2025-05-27T15:03:05Z

Modified

2025-05-27T15:42:42.473555Z

Severity

6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Details

Impact

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

Patches

The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.

Workarounds

Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.

References

Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-05-27T05:15:23Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-05-27T15:03:05Z"
}

References

Affected packages

npm / radashi

Package

Name: radashi; View open source insights on deps.dev
Purl: pkg:npm/radashi

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.5.1