Miggo Logo
Miggo Vulnerability Database
CVE-2025-57354

CVE-2025-57354: counterpart vulnerable to prototype pollution

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-57354
GHSA ID
GHSA-2488-w585-72ch
EPSS Score
0.48114%
CWE
CWE-1321
Published
9/24/2025
Updated
9/26/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
counterpartnpm<= 0.18.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a prototype pollution issue within the counterpart library, specifically in how it caches processed translation keys. The root cause lies in the _normalizeKey function, which uses a JavaScript object as a cache (this._registry.normalizedKeys) with the translation key separator as one of the cache keys.

An attacker can trigger the vulnerability by calling the main translate function and passing __proto__ as the separator within the options object. Here is the exploitation flow:

  1. The translate function is called with a malicious separator, for example: translate('someKey', { separator: '__proto__' }).
  2. The translate function calls _normalizeKeys, which in turn calls _normalizeKey, passing along the malicious separator.
  3. Inside _normalizeKey, the code attempts to access the cache using the separator as a key: this._registry.normalizedKeys[separator]. When separator is __proto__, this expression resolves to the Object.prototype of the cache object.
  4. The following line of code, this._registry.normalizedKeys[separator][key] = ..., then proceeds to assign a value to a property on Object.prototype instead of the cache object itself. This action pollutes the global Object.prototype for the entire application.

The primary vulnerable function is _normalizeKey, where the unsafe caching logic resides. The translate function is the entry point that allows an attacker to supply the malicious input. Any runtime profile or stack trace generated during exploitation would show calls progressing from translate to _normalizeKeys and finally to _normalizeKey, where the prototype pollution occurs.

Vulnerable functions

Counterpart.translate
index.js
This function is the primary entry point for the vulnerability. It accepts a user-controlled `options` object. An attacker can set the `separator` property in this object to a malicious value like `__proto__`. This malicious separator is then passed down to the `_normalizeKey` function, which leads to prototype pollution.
Counterpart._normalizeKey
index.js
This function contains the core prototype pollution flaw. It uses an object (`this._registry.normalizedKeys`) as a cache, keyed by the `separator`. When the `separator` is `__proto__`, accessing `this._registry.normalizedKeys[separator]` resolves to `Object.prototype`. The subsequent line then assigns a property to `Object.prototype` using the `key` argument, causing prototype pollution. For example, `this._registry.normalizedKeys['__proto__']['polluted'] = ...` will pollute the global Object prototype with a 'polluted' property.
Counterpart._normalizeKeys
index.js
This function acts as an intermediary, taking the malicious `separator` from the `translate` function and passing it directly to the vulnerable `_normalizeKey` function. It is part of the call chain that leads to the exploitation of the vulnerability.

WAF Protection Rules

WAF Rule

* vuln*r**ility *xists in t** `*ount*rp*rt` li*r*ry *or No**.js *n* t** *rows*r *u* to insu**i*i*nt s*nitiz*tion o* us*r-*ontroll** input in tr*nsl*tion k*y pro**ssin*. T** *****t** v*rsions prior to *.**.* *llow *tt**k*rs to m*nipul*t* t** li*r*ry's

Reasoning

T** vuln*r**ility is * prototyp* pollution issu* wit*in t** `*ount*rp*rt` li*r*ry, sp**i*i**lly in *ow it *****s pro**ss** tr*nsl*tion k*ys. T** root **us* li*s in t** `_norm*liz*K*y` *un*tion, w*i** us*s * J*v*S*ript o*j**t *s * ***** (`t*is._r**ist