CVE-2025-48054 is a prototype pollution vulnerability identified in the Radashi TypeScript utility toolkit, specifically affecting versions prior to 12.5.1. The vulnerability resides in the 'set' function of the Radashi library, which improperly handles the 'path' argument. An attacker who can control parts of this path argument can manipulate the prototype of all JavaScript objects within the runtime environment. Prototype pollution occurs when an attacker modifies the base prototype of objects, which can lead to unexpected and malicious behavior across the application. This can manifest as denial of service (DoS) due to corrupted object states, or in some cases, remote code execution (RCE) if the polluted prototype enables execution of arbitrary code paths. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, given the attack vector is network accessible (AV:N). The issue has been addressed in Radashi version 12.5.1 by sanitizing the path argument to prevent keys such as '__proto__', 'prototype', or 'constructor' from being used, which are known vectors for prototype pollution. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, but with high impact on integrity and availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for applications relying on Radashi versions before 12.5.1, especially those exposed to untrusted input controlling the 'set' function's path parameter.

For European organizations, the impact of this vulnerability can be substantial, particularly for those developing or maintaining web applications or services that incorporate the Radashi toolkit in their JavaScript/TypeScript stacks. Exploitation could lead to widespread application instability or crashes (denial of service), data integrity issues due to corrupted object states, and in certain scenarios, remote code execution, which could compromise entire systems. This risk is heightened in environments where Radashi is used in backend services or serverless functions exposed to external inputs. The vulnerability could facilitate lateral movement or privilege escalation within compromised networks. Given the increasing reliance on JavaScript tooling in European enterprises, especially in sectors like finance, telecommunications, and government services, exploitation could disrupt critical services and lead to data breaches or operational downtime. The absence of required authentication and user interaction makes it easier for attackers to exploit, increasing the urgency for remediation. Additionally, the potential for supply chain impact exists if Radashi is embedded in third-party libraries or frameworks used by European software vendors.

European organizations should immediately upgrade all Radashi dependencies to version 12.5.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement input validation and sanitization on all inputs that influence the 'path' argument in the 'set' function to explicitly disallow keys such as '__proto__', 'prototype', and 'constructor'. Conduct thorough code audits to identify any usage of the vulnerable 'set' function and assess exposure to untrusted inputs. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious payloads attempting prototype pollution patterns. Integrate dependency scanning tools in CI/CD pipelines to detect vulnerable Radashi versions proactively. Additionally, monitor application logs and behavior for anomalies indicative of prototype pollution exploitation attempts. For organizations using third-party software that may embed Radashi, engage with vendors to confirm patch status or mitigation plans. Finally, educate development teams on secure coding practices related to prototype pollution and JavaScript object handling.