Headline
GHSA-2xv9-ghh9-xc69: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Impact
This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.
Patches
The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.
Workarounds
Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.
References
- Git commit:
8147abc8cfc3cfe9b9a17cd389076a5d97235a66 - CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes (‘Prototype Pollution’): https://cwe.mitre.org/data/definitions/1321.html
Impact
This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.
Patches
The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of proto, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.
Workarounds
Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is proto, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.
References
- Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
- CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes (‘Prototype Pollution’): https://cwe.mitre.org/data/definitions/1321.html
References
- GHSA-2xv9-ghh9-xc69
- https://nvd.nist.gov/vuln/detail/CVE-2025-48054
- radashi-org/radashi@8147abc