CVE-2025-55195

HIGH

@std/toml <1.0.9 - Prototype Pollution

Title source: llm

Description

@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution (PP) vulnerability. This is because the library is merging an untrusted object with an empty object, which by default the empty object has the prototype chain. This issue has been patched in version 1.0.9.

References (3)

[Vendor Advisory] https://github.com/denoland/std/security/advisories/GHSA-crjp-8r9q-2j9r

[Patch] https://github.com/denoland/std/commit/540662cfd6d71e969af292aa604ef4049dbe271b

View Patch ZIP pw:eip

[Release Notes] https://github.com/denoland/std/releases/tag/release-2025.08.13

Scores

CVSS v3 7.3

EPSS 0.0016

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (1)

denoland/std < 1.0.9

Published Aug 14, 2025

Tracked Since Feb 18, 2026