CVE-2025-48054

MEDIUM Year: 2025
Weakness Type
CWE-1321
View all →

Vulnerability Description

Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor.

Related Vulnerabilities

CVE-2020-12079

CRITICAL
CVSS:10.0(Critical)

Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-po...

CWE-13212020

CVE-2021-23449

CRITICAL
CVSS:10.0(Critical)

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

CWE-13212021

CVE-2021-23594

CRITICAL
CVSS:10.0(Critical)

All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

CWE-13212021

CVE-2023-26121

CRITICAL
CVSS:10.0(Critical)

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

CWE-13212023

CVE-2023-3696

CRITICAL
CVSS:10.0(Critical)

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

CWE-13212023

CVE-2024-38999

CRITICAL
CVSS:10.0(Critical)

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Ser...

CWE-13212024