CVE-2025-32014: estree-util-value-to-estree allows prototype pollution in generated ESTree

April 7, 2025 (updated October 31, 2025)

When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead.

Example:

import { generate } from 'astring'
import { valueToEstree } from 'estree-util-value-to-estree'

const estree = valueToEstree({
['__proto__']: {}
})
const code = generate(estree)
console.log(code)

Output:

{
"__proto__": {}
}

References

github.com/advisories/GHSA-f7f6-9jq7-3rqj
github.com/remcohaszing/estree-util-value-to-estree
github.com/remcohaszing/estree-util-value-to-estree/commit/d0c394fbc64bc55937ffe4e162b81f15ba506e55
github.com/remcohaszing/estree-util-value-to-estree/security/advisories/GHSA-f7f6-9jq7-3rqj
nvd.nist.gov/vuln/detail/CVE-2025-32014

Code Behaviors & Features

Detect and mitigate CVE-2025-32014 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →