CVE-2025-32014: estree-util-value-to-estree allows prototype pollution in generated ESTree
When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead.
Example:
import { generate } from 'astring'
import { valueToEstree } from 'estree-util-value-to-estree'
const estree = valueToEstree({
['__proto__']: {}
})
const code = generate(estree)
console.log(code)
Output:
{
"__proto__": {}
}
References
- github.com/advisories/GHSA-f7f6-9jq7-3rqj
- github.com/remcohaszing/estree-util-value-to-estree
- github.com/remcohaszing/estree-util-value-to-estree/commit/d0c394fbc64bc55937ffe4e162b81f15ba506e55
- github.com/remcohaszing/estree-util-value-to-estree/security/advisories/GHSA-f7f6-9jq7-3rqj
- nvd.nist.gov/vuln/detail/CVE-2025-32014
Code Behaviors & Features
Detect and mitigate CVE-2025-32014 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →