CVE-2025-57347

Source
https://cve.org/CVERecord?id=CVE-2025-57347
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57347.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-57347
Published
2025-09-24T19:15:39.980Z
Modified
2026-04-10T05:32:33.695320Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "proto"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

References

Affected packages

Git / github.com/tbo47/dagre-es

Affected ranges

Type
GIT
Repo
https://github.com/tbo47/dagre-es
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0.9"
        }
    ]
}

Affected versions

7.*
7.0.6
7.0.7
7.0.8
7.0.9
Other
dagre-es-v5
dagre-es-v7
v7.*
v7.0.1
v7.0.3
v7.0.4
v7.0.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57347.json"