CVE-2025-57351 is a prototype pollution vulnerability identified in the ts-fns package, a JavaScript utility library. The vulnerability arises from insufficient validation of user-supplied keys in the assign function, which is responsible for deep property assignment within objects. Specifically, attackers can manipulate the Object.prototype chain by injecting arbitrary properties into the global prototype object. This manipulation can lead to severe consequences such as application crashes, unexpected or malicious code execution behaviors, and bypassing security-critical validation logic that relies on the integrity of the prototype chain. Prototype pollution is a well-known attack vector in JavaScript environments, as it allows attackers to alter the behavior of all objects inheriting from Object.prototype, potentially affecting the entire runtime environment of an application. The vulnerability is present in versions of ts-fns prior to 13.0.7, and notably, the issue remains unaddressed even in the latest available version at the time of this report, indicating that no official patch or fix has been released. The vulnerability stems from improper handling of deep property assignments in the library's public API, which fails to sanitize or restrict keys that can traverse and modify the prototype chain. Although no known exploits have been reported in the wild yet, the nature of this vulnerability makes it a significant risk, especially for applications relying heavily on ts-fns for object manipulation in JavaScript or Node.js environments.

For European organizations, the impact of this vulnerability can be substantial, particularly for those developing or deploying web applications, server-side applications, or services that utilize the ts-fns package. Exploitation could lead to unauthorized code execution, data integrity violations, or denial of service through application crashes. This could compromise sensitive data, disrupt business operations, and erode trust in affected services. Organizations in sectors such as finance, healthcare, and critical infrastructure, which often rely on JavaScript-based applications, could face regulatory and compliance repercussions under GDPR if personal data is exposed or integrity is compromised. Additionally, prototype pollution can be leveraged as a stepping stone for more complex attacks, including privilege escalation or lateral movement within networks, increasing the overall threat landscape. The lack of an official patch exacerbates the risk, forcing organizations to consider alternative mitigation strategies or risk acceptance. Given the widespread use of JavaScript libraries in modern software development, the vulnerability could affect a broad range of applications, increasing the attack surface for European enterprises.

Since no official patch is available, European organizations should adopt a multi-layered mitigation approach. First, conduct an immediate audit of all applications and services to identify usage of the ts-fns package, especially versions prior to 13.0.7. Where feasible, replace or remove the ts-fns dependency or isolate its usage to minimize exposure. Implement input validation and sanitization at the application level to prevent untrusted data from reaching the assign function or similar APIs that perform deep object assignments. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAFs) configured to detect anomalous prototype pollution patterns or suspicious payloads targeting object prototype manipulation. Developers should consider using alternative libraries with secure handling of deep assignments or implement custom safe assignment functions that explicitly prevent prototype pollution by disallowing keys like __proto__, constructor, or prototype. Additionally, monitor application logs and behavior for signs of prototype pollution exploitation attempts, such as unexpected property injections or crashes. Engage in threat intelligence sharing within industry groups to stay informed about emerging exploits or patches. Finally, prepare incident response plans tailored to prototype pollution scenarios to minimize impact if exploitation occurs.