Author: Ameeba

Overview

The vulnerability CVE-2025-57318 is a Prototype Pollution threat in the csvjson’s toCsv function. It affects all versions up to 5.1.0. The issue is significant because it allows attackers to inject properties on Object.prototype, potentially causing denial of service (DoS) and possibly leading to system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-57318
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Denial of Service, Potential system compromise, and Data leakage

Affected Products

Product | Affected Versions

csvjson | Up to 5.1.0

How the Exploit Works

The exploit works by taking advantage of the Prototype Pollution vulnerability in the toCsv function of csvjson. An attacker supplies a carefully crafted payload that can inject properties on Object.prototype. This injection can cause an application using the vulnerable csvjson library to behave unpredictably, leading to potential denial of service.

Conceptual Example Code

Here is a hypothetical example of a malicious payload that might exploit this vulnerability:

let payload = {
"__proto__": {
"polluted": "Prototype Polluted!"
}
};
csvjson.toCsv(payload);

In this example, the payload is a JSON object that contains a “__proto__” property. When this payload is passed to the vulnerable toCsv function, it can pollute the prototype of all objects, causing unexpected behaviors in the application. This can result in a denial of service or other adverse impacts.

Mitigation Guidance

To mitigate this vulnerability, apply the vendor patch as soon as it becomes available. In the interim, use Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) to detect and block attempts to exploit this vulnerability.

Overview

The Prototype Pollution vulnerability CVE-2025-57329 is a significant issue that affects the web3-core-method package. This package, designed to create methods on web3 modules, is susceptible to an attack that can result in a Denial of Service (DoS) situation or even worse. Given the widespread use of web3 modules, this vulnerability presents a substantial risk and potential disruption to any system that employs this package.

Vulnerability Summary

CVE ID: CVE-2025-57329
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

web3-core-method | <= 1.10.4 How the Exploit Works

The exploit works by an attacker injecting properties into Object.prototype via a crafted payload. This payload utilizes the attachToObject function of the web3-core-method package to modify the prototype of the targeted object. This results in a pollution of the object’s prototype. Depending on the properties injected, this can lead to a variety of consequences, from DoS to potential system compromise or data leakage.

Conceptual Example Code

The following is a conceptual example of how the vulnerability might be exploited:

let payload = JSON.parse('{"__proto__" : {"polluted" : "Prototype Polluted"}}');
web3CoreMethod.attachToObject(payload);

In this example, a malicious payload is parsed and passed to the `attachToObject` method of the `web3-core-method` package. Once the payload is attached, the prototype of all objects becomes polluted with the malicious properties, leading to the potential exploitation of the system.

Overview

The vulnerability identified as CVE-2025-57328 is a significant security flaw in the toggle-array package, widely used in software applications for manipulating properties on objects at a specified index. This vulnerability, termed as Prototype Pollution, exposes the systems to potential risks of system compromise and data leakage. The impact of this vulnerability is significant, as it allows attackers to inject properties on Object.prototype with a crafted payload, leading to a minimum consequence of Denial of Service (DoS).

Vulnerability Summary

CVE ID: CVE-2025-57328
Severity: High (CVSS: 7.5)
Attack Vector: Remote
Privileges Required: None
User Interaction: None
Impact: System compromise, potential data leakage

Affected Products

Product | Affected Versions

Toggle-Array | v1.0.1 and before

How the Exploit Works

An attacker exploiting this vulnerability would craft a specific payload and inject it into the toggle-array package’s enable or disable function. This would cause the prototype of the Object to be polluted, an action that could have a variety of consequences depending on the attacker’s intent and the specific use of the affected software. At a minimum, this could cause a Denial of Service (DoS), but it could also lead to far more severe impacts such as system compromise or data leakage.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:

const ToggleArray = require('toggle-array');
let objectArray = [ { property: 'safe' }, { property: 'safe' } ];
let craftedPayload = '{"__proto__": {"injectedProperty": "compromised"}}';
ToggleArray.enable(objectArray, 0, craftedPayload);
console.log(objectArray[1].injectedProperty); // Outputs: compromised

In the above example, the crafted payload `{“__proto__”: {“injectedProperty”: “compromised”}}` is injected into the `enable` function of the `toggle-array` package. This results in the prototype of all objects in the array being polluted with the `injectedProperty`, compromising the integrity of the system.

Overview

The spmrc package, known for providing the rc manager for spm, has a notable Prototype Pollution vulnerability in its version 1.2.0 and before. This vulnerability, classified as CVE-2025-57327, potentially allows attackers to inject properties on Object.prototype via a crafted payload. This results in a Denial of Service (DoS) at the very least, and could pose a significant risk to systems utilizing the affected spmrc package.

Vulnerability Summary

CVE ID: CVE-2025-57327
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Denial of Service (DoS), Potential system compromise or data leakage

Affected Products

Product | Affected Versions

spmrc | 1.2.0 and before

How the Exploit Works

The Prototype Pollution vulnerability in spmrc allows attackers to modify the prototype of Object. When an attacker supplies a malicious payload, they can inject properties into Object.prototype. As a result, the attacker can cause unexpected behavior in the application, leading to Denial of Service (DoS). Depending on the application and its usage of the polluted objects, the impact could potentially escalate to system compromise or data leakage.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited via a crafted payload:

var spmrc = require('spmrc');
spmrc.set('__proto__.polluted', 'Prototype Polluted');
console.log(polluted); // Output: Prototype Polluted

In this example, the attacker injects a property, ‘polluted’, on the Object prototype by using the set function. As a result, all objects inherit this property, causing unexpected behavior in the application.

Overview

The CVE-2025-57326 is a Prototype Pollution vulnerability that affects the byGroupAndType function of sassdoc-extras v2.5.1 and versions before it. This vulnerability allows attackers to inject properties on Object.prototype through a crafted payload, leading to a potential denial of service (DoS). It is a critical issue that can compromise systems and cause data leakage.

Vulnerability Summary

CVE ID: CVE-2025-57326
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

sassdoc-extras | <= v2.5.1 How the Exploit Works

The exploit works by injecting properties into Object.prototype through a crafted payload. This is an instance of Prototype Pollution, a form of attack where an attacker manipulates the prototype of a JavaScript object. In this case, the byGroupAndType function of sassdoc-extras doesn’t adequately validate input, allowing an attacker to modify an application’s object prototypes.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited using a JSON payload:

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "__proto__": { "admin": true } }

In this example, the payload is modifying the prototype of the application’s objects to include an ‘admin’ property set to true. If the application uses the existence of this property to grant administrative privileges, this could lead to unauthorized access.

Remediation

The best course of action to mitigate this vulnerability is to apply the patch provided by the vendor. If a patch is not immediately available or applicable, a web application firewall (WAF) or intrusion detection system (IDS) can be used as a temporary mitigation measure. In the long term, however, the application should be updated to a version that fixes this vulnerability.

Overview

The vulnerability designated as CVE-2025-57325 is a Prototype Pollution flaw found in the rollbar JavaScript package, specifically version 2.26.4 and earlier. The vulnerability affects developers and users of applications that use this package and could potentially lead to system compromise or data leakage. It’s crucial to understand and address this vulnerability due to its high severity score and its potential to cause a denial of service.

Vulnerability Summary

CVE ID: CVE-2025-57325
Severity: High (CVSS: 7.5)
Attack Vector: Remote
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

rollbar | v2.26.4 and earlier

How the Exploit Works

The vulnerability lies within the utility.set function of the rollbar package. An attacker can inject properties on Object.prototype by supplying a specially crafted payload. This Prototype Pollution attack can lead to unexpected behaviour in the application, including a Denial of Service (DoS) condition and potentially further exploitation leading to system compromise or data leakage.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. An attacker could send a POST request with a malicious JSON payload to a vulnerable endpoint:

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "__proto__": { "polluted": "Prototype Polluted!" } }

In this example, if the application uses the rollbar package to handle this request, the polluted property would be added to all objects in the application, resulting in unexpected behaviour or potential system compromise.

Mitigation Guidance

Users of the rollbar package are advised to apply the vendor-supplied patch to mitigate this vulnerability. If a patch cannot be applied immediately, the use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation. However, this does not replace the need for patching the vulnerable software. It is critical to keep all software up-to-date to protect against known vulnerabilities.

Overview

A significant vulnerability has been identified in the mpregular package, a widely used program development framework based on RegularJS. This vulnerability, tagged as CVE-2025-57323, affects version 0.2.0 and earlier versions. It allows attackers to manipulate properties on Object.prototype, resulting in a potential system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-57323
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Denial of Service, Potential System Compromise, Data Leakage

Affected Products

Product | Affected Versions

mpregular | 0.2.0 and earlier versions

How the Exploit Works

The vulnerability lies in the mp.addEventHandler function of mpregular where it fails to properly validate and sanitize input. An attacker can exploit this by sending a specially crafted payload that can inject properties on Object.prototype. This can cause the application to behave unexpectedly, leading to issues like Denial of Service (DoS) and potentially giving an attacker the ability to compromise the system or leak data.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited:

var payload = {
"__proto__": {
"isAdmin": true
}
};
mp.addEventHandler(payload);

In this example, a malicious payload is created that injects an “isAdmin” property into the Object prototype. When processed by the mp.addEventHandler function, it could potentially grant admin privileges to an attacker, depending on how the application uses this property.

Mitigation Guidance

The most effective mitigation for this vulnerability is to apply the patch provided by the vendor. If this is not immediately feasible, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) could serve as a temporary mitigation by blocking or alerting on any suspicious activity related to this vulnerability. However, these measures are only stop-gap solutions and cannot replace the need for patching.

Overview

The CVE-2025-57349 vulnerability is a serious flaw in the messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript. This flaw can potentially lead to system compromise or data leakage, affecting all applications using versions of the package before 2.3.0. The vulnerability is of significant concern due to its potential for causing denial of service or other undefined behaviors in affected applications.

Vulnerability Summary

CVE ID: CVE-2025-57349
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

messageformat | < 2.3.0 How the Exploit Works

The vulnerability arises from the package’s improper handling of message key paths when processing nested message keys containing special characters such as __proto__. This can lead to unintended modification of the JavaScript Object prototype, a phenomenon known as prototype pollution. A remote attacker can take advantage of this flaw to inject properties into the global object prototype via specially crafted message input, creating potential for denial of service attacks or other undefined behaviors.

Conceptual Example Code

Below is a conceptual example demonstrating how the vulnerability might be exploited:

let malicious_payload = {
"__proto__.polluted": "Prototype polluted!"
};
messageformat.format(malicious_payload);

Following execution of the above code, all objects in the affected JavaScript context will have a “polluted” property with the value “Prototype polluted!”. This could be used to manipulate or disrupt the normal operation of the application.

Overview

The vulnerability CVE-2025-57330 is a Prototype Pollution issue in the web3-core-subscriptions package. This package is widely used to manage web3 subscriptions, and the vulnerability affects all versions up to 1.10.4. This issue could potentially allow an attacker to cause a Denial of Service (DoS) to the system, compromise it, or even leak sensitive data, hence the need for immediate attention and mitigation.

Vulnerability Summary

CVE ID: CVE-2025-57330
Severity: High (7.5 CVSS)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise, data leakage, and potential for DoS

Affected Products

Product | Affected Versions

web3-core-subscriptions | 1.10.4 and before

How the Exploit Works

The exploit works by an attacker injecting properties into Object.prototype via a carefully crafted payload. This payload can be delivered through network interaction with the application using the vulnerable package. The injection can modify the core behavior of the application, causing it to crash (Denial of Service) or behave unpredictably, potentially leading to system compromise or data leakage.

Conceptual Example Code

Here is a conceptual example of a malicious payload that could exploit this vulnerability:

POST /web3/subscribe HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"__proto__": {
"shutdown": true
}
}

In this example, if the server parses this JSON and merges it into their application state, it could trigger unwanted behavior like shutting down the system or service. Please note that this is a simplified example and real exploit code may be more complex and less obvious.

Overview

The vulnerability CVE-2025-48869 pertains to the Horilla Human Resource Management System (HRMS), a widely-used free and open-source HRMS. The issue arises when unauthenticated users can gain access to uploaded resume files by merely guessing or predicting the file URLs. This vulnerability is significant as it could lead to data leakage and potential system compromise, negatively impacting the confidentiality and integrity of the sensitive data entrusted to the HRMS.

Vulnerability Summary

CVE ID: CVE-2025-48869
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System Compromise, Data Leakage

Affected Products

Product | Affected Versions

Horilla HRMS | 1.3.0

How the Exploit Works

The exploit takes advantage of the fact that the resume files are stored in a publicly accessible directory. An attacker does not require any authentication and can retrieve these files by directly predicting or guessing the file URLs. This vulnerability can result in the leakage of sensitive candidate information, which can be exploited for malicious purposes.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited using a simple HTTP GET request:

GET /resumes/jane_doe.pdf HTTP/1.1
Host: target.example.com

In this example, the attacker attempts to access a resume file via a direct URL. If the file exists and the vulnerability is present, the server will return the requested file, potentially revealing sensitive candidate information.

Mitigation Guidance

At the time of publication, there is no known patch. As a temporary mitigation, it is recommended to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS). These can help block or alert on attempts to access files directly. In the long term, it is advisable to apply a vendor patch once available.