CVE-2025-48054: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in radashi-org radashi
Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor.
AI Analysis
Technical Summary
CVE-2025-48054 is a prototype pollution vulnerability identified in the Radashi TypeScript utility toolkit, specifically affecting versions prior to 12.5.1. The vulnerability resides in the 'set' function of the Radashi library, which improperly handles the 'path' argument. An attacker who can control parts of this path argument can manipulate the prototype of all JavaScript objects within the runtime environment. Prototype pollution occurs when an attacker modifies the base prototype of objects, which can lead to unexpected and malicious behavior across the application. This can manifest as denial of service (DoS) due to corrupted object states, or in some cases, remote code execution (RCE) if the polluted prototype enables execution of arbitrary code paths. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, given the attack vector is network accessible (AV:N). The issue has been addressed in Radashi version 12.5.1 by sanitizing the path argument to prevent keys such as '__proto__', 'prototype', or 'constructor' from being used, which are known vectors for prototype pollution. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, but with high impact on integrity and availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for applications relying on Radashi versions before 12.5.1, especially those exposed to untrusted input controlling the 'set' function's path parameter.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, particularly for those developing or maintaining web applications or services that incorporate the Radashi toolkit in their JavaScript/TypeScript stacks. Exploitation could lead to widespread application instability or crashes (denial of service), data integrity issues due to corrupted object states, and in certain scenarios, remote code execution, which could compromise entire systems. This risk is heightened in environments where Radashi is used in backend services or serverless functions exposed to external inputs. The vulnerability could facilitate lateral movement or privilege escalation within compromised networks. Given the increasing reliance on JavaScript tooling in European enterprises, especially in sectors like finance, telecommunications, and government services, exploitation could disrupt critical services and lead to data breaches or operational downtime. The absence of required authentication and user interaction makes it easier for attackers to exploit, increasing the urgency for remediation. Additionally, the potential for supply chain impact exists if Radashi is embedded in third-party libraries or frameworks used by European software vendors.
Mitigation Recommendations
European organizations should immediately upgrade all Radashi dependencies to version 12.5.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement input validation and sanitization on all inputs that influence the 'path' argument in the 'set' function to explicitly disallow keys such as '__proto__', 'prototype', and 'constructor'. Conduct thorough code audits to identify any usage of the vulnerable 'set' function and assess exposure to untrusted inputs. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious payloads attempting prototype pollution patterns. Integrate dependency scanning tools in CI/CD pipelines to detect vulnerable Radashi versions proactively. Additionally, monitor application logs and behavior for anomalies indicative of prototype pollution exploitation attempts. For organizations using third-party software that may embed Radashi, engage with vendors to confirm patch status or mitigation plans. Finally, educate development teams on secure coding practices related to prototype pollution and JavaScript object handling.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-48054: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in radashi-org radashi
Description
Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor.
AI-Powered Analysis
Technical Analysis
CVE-2025-48054 is a prototype pollution vulnerability identified in the Radashi TypeScript utility toolkit, specifically affecting versions prior to 12.5.1. The vulnerability resides in the 'set' function of the Radashi library, which improperly handles the 'path' argument. An attacker who can control parts of this path argument can manipulate the prototype of all JavaScript objects within the runtime environment. Prototype pollution occurs when an attacker modifies the base prototype of objects, which can lead to unexpected and malicious behavior across the application. This can manifest as denial of service (DoS) due to corrupted object states, or in some cases, remote code execution (RCE) if the polluted prototype enables execution of arbitrary code paths. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, given the attack vector is network accessible (AV:N). The issue has been addressed in Radashi version 12.5.1 by sanitizing the path argument to prevent keys such as '__proto__', 'prototype', or 'constructor' from being used, which are known vectors for prototype pollution. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, but with high impact on integrity and availability. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for applications relying on Radashi versions before 12.5.1, especially those exposed to untrusted input controlling the 'set' function's path parameter.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, particularly for those developing or maintaining web applications or services that incorporate the Radashi toolkit in their JavaScript/TypeScript stacks. Exploitation could lead to widespread application instability or crashes (denial of service), data integrity issues due to corrupted object states, and in certain scenarios, remote code execution, which could compromise entire systems. This risk is heightened in environments where Radashi is used in backend services or serverless functions exposed to external inputs. The vulnerability could facilitate lateral movement or privilege escalation within compromised networks. Given the increasing reliance on JavaScript tooling in European enterprises, especially in sectors like finance, telecommunications, and government services, exploitation could disrupt critical services and lead to data breaches or operational downtime. The absence of required authentication and user interaction makes it easier for attackers to exploit, increasing the urgency for remediation. Additionally, the potential for supply chain impact exists if Radashi is embedded in third-party libraries or frameworks used by European software vendors.
Mitigation Recommendations
European organizations should immediately upgrade all Radashi dependencies to version 12.5.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement input validation and sanitization on all inputs that influence the 'path' argument in the 'set' function to explicitly disallow keys such as '__proto__', 'prototype', and 'constructor'. Conduct thorough code audits to identify any usage of the vulnerable 'set' function and assess exposure to untrusted inputs. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious payloads attempting prototype pollution patterns. Integrate dependency scanning tools in CI/CD pipelines to detect vulnerable Radashi versions proactively. Additionally, monitor application logs and behavior for anomalies indicative of prototype pollution exploitation attempts. For organizations using third-party software that may embed Radashi, engage with vendors to confirm patch status or mitigation plans. Finally, educate development teams on secure coding practices related to prototype pollution and JavaScript object handling.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-15T16:06:40.940Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6835ae13182aa0cae20f9d97
Added to database: 5/27/2025, 12:20:35 PM
Last enriched: 7/11/2025, 10:46:26 AM
Last updated: 8/19/2025, 12:51:02 AM
Views: 16
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.