CVE-2025-32014

MEDIUM

estree-util-value-to-estree < 3.3.3 - Prototype Pollution via proto Property

Title source: llm

Description

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/remcohaszing/estree-util-value-to-estree/security/advisories/GHSA-f7f6-9jq7-3rqj

Patch x_refsource_misc

https://github.com/remcohaszing/estree-util-value-to-estree/commit/d0c394fbc64bc55937ffe4e162b81f15ba506e55

View Patch ZIP pw:eip

Scores

CVSS v4 6.9

EPSS 0.0037

EPSS Percentile 28.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/estree-util-value-to-estree 0 - 3.3.3npm

remcohaszing/estree-util-value-to-estree < 3.3.3

Published Apr 07, 2025

Tracked Since Feb 18, 2026