CVE-2025-57351

MEDIUM

NPM Ts-fns - Prototype Pollution

Title source: rule

Description

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.

References (2)

[Various Sources] https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351

[Issue Tracking] https://github.com/tangshuang/ts-fns/issues/36

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 45.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (1)

npm/ts-fns 0npm

Published Sep 24, 2025

Tracked Since Feb 18, 2026