5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-31475

GHSA ID

GHSA-4hwx-xcc5-2hfc

EPSS Score

0.24035%

CWE

CWE-1321

Published

4/7/2025

Updated

4/7/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31475

CVE-2025-31475: tarteaucitron.js allows prototype pollution via custom text injection

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution.

Impact

An attacker with high privileges could exploit this vulnerability to:

Modify object prototypes, affecting core JavaScript behavior,
Cause application crashes or unexpected behavior,
Potentially introduce further security vulnerabilities depending on the application's architecture.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5b

The issue was resolved by ensuring that user-controlled inputs cannot modify JavaScript object prototypes.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-31475

CVE-2025-31475:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-31475

GHSA ID

GHSA-4hwx-xcc5-2hfc

EPSS Score

0.24035%

CWE

CWE-1321

Published

4/7/2025

Updated

4/7/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tarteaucitronjs	npm	< 1.20.1	1.20.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the AddOrUpdate function's recursive merging logic. The patch adds two critical validations: 1) explicit exclusion of proto and constructor keys, and 2) hasOwnProperty check to prevent prototype chain pollution. In vulnerable versions, this function would appear in profiler traces when processing malicious custom text inputs due to its role in deep-merging user-controlled objects. The function's full namespace is visible in the patch as tarteaucitron.AddOrUpdate, and it's explicitly referenced in the security advisory as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-31475: tarteaucitron.js allows prototype pollution via custom text injection

Impact

Fix https://github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5b

CVE-2025-31475:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

5.5

5.5

CVE-2025-31475: tarteaucitron.js allows prototype pollution via custom text injection

Impact

Fix https://github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5b

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI