CVE-2025-57321: magix-combine-ex vulnerable to prototype pollution

September 24, 2025 (updated September 25, 2025)

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

References

github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js
github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321
github.com/advisories/GHSA-cr7h-93fh-whwm
github.com/thx/magix-combine
nvd.nist.gov/vuln/detail/CVE-2025-57321

Code Behaviors & Features

Detect and mitigate CVE-2025-57321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →