CVE-2025-48054: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

May 27, 2025

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

References

github.com/advisories/GHSA-2xv9-ghh9-xc69
github.com/radashi-org/radashi
github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66
github.com/radashi-org/radashi/security/advisories/GHSA-2xv9-ghh9-xc69
nvd.nist.gov/vuln/detail/CVE-2025-48054

Code Behaviors & Features

Detect and mitigate CVE-2025-48054 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →