Skip to main content

CVE-2025-48054: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in radashi-org radashi

Medium
VulnerabilityCVE-2025-48054cvecve-2025-48054cwe-1321
Published: Tue May 27 2025 (05/27/2025, 04:04:13 UTC)
Source: CVE Database V5
Vendor/Project: radashi-org
Product: radashi

Description

Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor.

AI-Powered Analysis

AILast updated: 07/11/2025, 10:46:26 UTC

Technical Analysis

CVE-2025-48054 is a prototype pollution vulnerability identified in the Radashi TypeScript utility toolkit, specifically affecting versions prior to 12.5.1. The vulnerability resides in the 'set' function of the Radashi library, which improperly handles the 'path' argument. An attacker who can control parts of this path argument can manipulate the prototype of all JavaScript objects within the runtime environment. Prototype pollution occurs when an attacker modifies the base prototype of objects, which can lead to unexpected and malicious behavior across the application. This can manifest as denial of service (DoS) due to corrupted object states, or in some cases, remote code execution (RCE) if the polluted prototype enables execution of arbitrary code paths. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, given the attack vector is network accessible (AV:N). The issue has been addressed in Radashi version 12.5.1 by sanitizing the path argument to prevent keys such as '__proto__', 'prototype', or 'constructor' from being used, which are known vectors for prototype pollution. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, but with high impact on integrity and availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for applications relying on Radashi versions before 12.5.1, especially those exposed to untrusted input controlling the 'set' function's path parameter.

Potential Impact

For European organizations, the impact of this vulnerability can be substantial, particularly for those developing or maintaining web applications or services that incorporate the Radashi toolkit in their JavaScript/TypeScript stacks. Exploitation could lead to widespread application instability or crashes (denial of service), data integrity issues due to corrupted object states, and in certain scenarios, remote code execution, which could compromise entire systems. This risk is heightened in environments where Radashi is used in backend services or serverless functions exposed to external inputs. The vulnerability could facilitate lateral movement or privilege escalation within compromised networks. Given the increasing reliance on JavaScript tooling in European enterprises, especially in sectors like finance, telecommunications, and government services, exploitation could disrupt critical services and lead to data breaches or operational downtime. The absence of required authentication and user interaction makes it easier for attackers to exploit, increasing the urgency for remediation. Additionally, the potential for supply chain impact exists if Radashi is embedded in third-party libraries or frameworks used by European software vendors.

Mitigation Recommendations

European organizations should immediately upgrade all Radashi dependencies to version 12.5.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement input validation and sanitization on all inputs that influence the 'path' argument in the 'set' function to explicitly disallow keys such as '__proto__', 'prototype', and 'constructor'. Conduct thorough code audits to identify any usage of the vulnerable 'set' function and assess exposure to untrusted inputs. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious payloads attempting prototype pollution patterns. Integrate dependency scanning tools in CI/CD pipelines to detect vulnerable Radashi versions proactively. Additionally, monitor application logs and behavior for anomalies indicative of prototype pollution exploitation attempts. For organizations using third-party software that may embed Radashi, engage with vendors to confirm patch status or mitigation plans. Finally, educate development teams on secure coding practices related to prototype pollution and JavaScript object handling.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-15T16:06:40.940Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6835ae13182aa0cae20f9d97

Added to database: 5/27/2025, 12:20:35 PM

Last enriched: 7/11/2025, 10:46:26 AM

Last updated: 8/19/2025, 12:51:02 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats