CVE-2025-57347

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347	Third Party Advisory
https://github.com/tbo47/dagre-es/issues/52	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:tbo47:dagre-d3-es:7.0.9:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2025-09-24 19:15

Updated : 2025-10-17 14:53

NVD link : CVE-2025-57347

Mitre link : CVE-2025-57347

CVE.ORG link : CVE-2025-57347

JSON object : View

Products Affected

tbo47

dagre-d3-es

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.8 /10