CVE-2025-3197

HIGH

NPM Expand-object - Prototype Pollution

Title source: rule

Description

Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

References (3)

[Various Sources] https://gist.github.com/miguelafmonteiro/d8f66af61d14e06338b688f90c4dfa7c

[Various Sources] https://github.com/jonschlinkert/expand-object/blob/master/index.js%23L13

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-EXPANDOBJECT-5821390

Scores

CVSS v3 7.3

EPSS 0.0058

EPSS Percentile 69.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

n/a/expand-object 0.0.0

npm/expand-object 0npm

Published Apr 04, 2025

Tracked Since Feb 18, 2026