Miggo Logo
Miggo Vulnerability Database
CVE-2025-26278

CVE-2025-26278: dref is vulnerable to prototype pollution

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-26278
GHSA ID
GHSA-76g8-235f-gj6p
EPSS Score
0.11858%
CWE
CWE-1321
Published
9/25/2025
Updated
9/26/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drefnpm<= 0.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis is based on the provided vulnerability description and the information from the Gist URL. The Gist provides a clear Proof of Concept (PoC) that demonstrates the prototype pollution vulnerability in the set function of the dref library. The PoC shows that calling lib.set(someObj, "__proto__.pollutedKey", 123) pollutes the object prototype. Although the source code of the package could not be retrieved, the detailed description and PoC from the Gist provide high confidence in identifying the vulnerable function as set in lib/index.js.

Vulnerable functions

set
lib/index.js
The `set` function in `dref` is vulnerable to prototype pollution. It fails to sanitize the input path, allowing an attacker to traverse up to the `Object.prototype` and add or modify properties. This can lead to a denial of service or other vulnerabilities depending on the application's logic.

WAF Protection Rules

WAF Rule

* prototyp* pollution in t** li*.s*t *un*tion o* *r** v*.*.* *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) vi* supplyin* * *r**t** p*ylo**.

Reasoning

T** *n*lysis is **s** on t** provi*** vuln*r**ility **s*ription *n* t** in*orm*tion *rom t** *ist URL. T** *ist provi**s * *l**r Proo* o* *on**pt (Po*) t**t **monstr*t*s t** prototyp* pollution vuln*r**ility in t** `s*t` *un*tion o* t** `*r**` li*r*r