CVE-2025-57351

CVE-2025-57351 is a medium-severity vulnerability with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1321.

Key facts

Description

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.

Frequently asked questions

What is CVE-2025-57351?
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.
How severe is CVE-2025-57351?
CVE-2025-57351 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability low.
Is CVE-2025-57351 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-57351?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-57351 have an EU (EUVD) identifier?
Yes. CVE-2025-57351 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-31070.
When was CVE-2025-57351 published?
CVE-2025-57351 was published on 2025-09-24 and last updated on 2026-06-17.

References

Other CWE-1321 (Prototype Pollution) vulnerabilities

Browse all CWE-1321 (Prototype Pollution) vulnerabilities →