CVE-2025-49223

CRITICAL

billboard.js < 3.15.1 - Prototype Pollution via Generate Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-49223. PoCs published by louay-075.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-49223, a prototype pollution vulnerability in Billboard.js versions prior to 3.15.1. It includes a proof-of-concept demonstration and discusses the impact and mitigation strategies.

Description

billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Exploits (1)

nomisec WRITEUP 1 stars

by louay-075 · poc

https://github.com/louay-075/CVE-2025-49223-BillboardJS-PoC

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-49223, a prototype pollution vulnerability in Billboard.js versions prior to 3.15.1. It includes a proof-of-concept demonstration and discusses the impact and mitigation strategies.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Billboard.js <= 3.14.0

No auth needed

Prerequisites: Access to a web browser · Vulnerable version of Billboard.js loaded

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://cve.naver.com/detail/cve-2025-49223.html

Scores

CVSS v3 9.8

EPSS 0.0083

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1321

Status published

Products (2)

naver/billboard.js < 3.15.1

npm/billboard.js 0 - 3.15.1npm

Published Jun 04, 2025

Tracked Since Feb 18, 2026