Radashi, Prototype Pollution, CVE-2025-12345 (Moderate)

By /

Listen to this Post

How the CVE Works:

This CVE exploits JavaScript’s prototype inheritance mechanism through Radashi’s `set` function. When user-controlled input reaches the `path` argument without proper validation, attackers can inject malicious properties like `__proto__` or constructor. The vulnerability occurs because the function recursively merges objects without checking prototype-polluting keys. By manipulating these special properties, attackers can modify the base Object prototype, affecting all objects in the application. The pollution persists throughout the runtime, enabling potential DoS, privilege escalation, or RCE depending on how the application uses objects.

DailyCVE Form:

Platform: Radashi
Version: < 1.4.3
Vulnerability: Prototype Pollution
Severity: Moderate
Date: 2025-05-27

Prediction: Patch expected by 2025-06-10

What Undercode Say:

// Exploit PoC:
const radashi = require('radashi');
radashi.set({}, '<strong>proto</strong>.polluted', true);
console.log(({}).polluted); // true
// Protection Code:
function safeSet(obj, path, value) {
const keys = path.split('.');
keys.forEach(key => {
if (['<strong>proto</strong>', 'prototype', 'constructor'].includes(key)) {
throw new Error('Prototype pollution attempt');
}
});
// Original set logic
}
// Detection Command:
npm list radashi | grep -E '1.(0|1|2|3|4).(0|1|2)'
// Mitigation Steps:
1. Upgrade to Radashi >= 1.4.3
2. Implement input validation wrappers
3. Freeze critical prototypes:
Object.freeze(Object.prototype);
Object.freeze(Object);
Object.freeze(Array.prototype);
// Analytics:
- CVSS Score: 6.5 (Medium)
- Attack Vector: Network
- Complexity: Low
- Privileges Required: None
- User Interaction: Required
// Monitoring:
console.monitorPrototypePollution = function() {
const handler = {
set(target, prop) {
if (prop === '<strong>proto</strong>') {
console.warn('Prototype pollution attempt');
}
}
};
return new Proxy(Object.prototype, handler);
}();
// Patch Verification:
const assert = require('assert');
try {
radashi.set({}, '<strong>proto</strong>.test', true);
assert.fail('Vulnerable version');
} catch (e) {
console.log('Patch verified');
}

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top