Listen to this Post
The CVE-2025-42586 vulnerability in ts-fns arises from improper input sanitization within the library’s `assign` function. This function is designed to copy properties from one or more source objects to a target object. However, versions prior to 13.0.7 do not adequately validate the keys of the provided source objects. An attacker can craft a malicious object containing a key like `__proto__.polluted` or constructor.prototype.polluted. When this object is passed to the vulnerable `assign` function, the library’s logic for setting nested properties incorrectly interprets the special `__proto__` key. Instead of creating a property named `__proto__` on the target object, it traverses the prototype chain and modifies the `Object.prototype` itself. This pollutes the prototype for all objects in the application, potentially altering the behavior of existing functions or introducing insecure properties that can be leveraged for further attacks, such as Remote Code Execution if the polluted property influences a function like eval().
Platform: Node.js/npm
Version: < 13.0.7
Vulnerability: Prototype Pollution
Severity: Moderate
date: 2025-09-24
Prediction: Patch expected 2025-09-30
What Undercode Say:
npm audit npm ls ts-fns
const { assign } = require('ts-fns');
const malicious_payload = JSON.parse('{"<strong>proto</strong>":{"polluted":"yes"}}');
assign({}, malicious_payload);
console.log(({}).polluted); // Outputs: "yes"
How Exploit:
An attacker provides a manipulated object with a `__proto__` key to the `assign` function, polluting the base Object prototype and affecting all objects.
Protection from this CVE:
Upgrade to ts-fns version 13.0.7 or later.
Impact:
Application crash, security control bypass, potential code execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
