N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48054

CVE-2025-48054: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

Patches

The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.

Workarounds

Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.

References

Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48054

CVE-2025-48054:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
radashi	npm	< 12.5.1	12.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a prototype pollution issue within the set function of the Radashi library. The provided commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66 clearly shows the patch applied to src/object/set.ts.

The core of the vulnerability lies in the set function, which, prior to the patch, did not validate the keys being used to set properties on an object. An attacker could provide a path containing __proto__, prototype, or constructor as a key, leading to the modification of the Object prototype.

The patch introduces a new helper function isDangerousKey (in src/object/isDangerousKey.ts) which is then used within the set function to check if the current key in the path is one of these dangerous keys. If a dangerous key is detected and the object does not have a null prototype, an error is thrown, preventing the pollution.

Therefore, the set function in src/object/set.ts is the vulnerable function as it's the one that processes the potentially malicious input (the path) and, without the patch, would perform the unsafe operation. The isDangerousKey function is part of the mitigation, not the vulnerability itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48054: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact

Patches

Workarounds

References

CVE-2025-48054:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-48054: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact

Patches

Workarounds

References

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI