GHSA-g7wq-wggw-vmhg

Suggest an improvement
Source
https://github.com/advisories/GHSA-g7wq-wggw-vmhg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-g7wq-wggw-vmhg/GHSA-g7wq-wggw-vmhg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g7wq-wggw-vmhg
Aliases
  • CVE-2025-57351
Published
2025-09-24T21:30:37Z
Modified
2025-09-25T17:57:26.297193Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
ts-fns has prototype pollution vulnerability
Details

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.

Database specific 
{
    "nvd_published_at": "2025-09-24T19:15:40Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-09-25T17:32:34Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}
References

Affected packages

npm / ts-fns

Package

Name
ts-fns
View open source insights on deps.dev
Purl
pkg:npm/ts-fns

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
13.1.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-g7wq-wggw-vmhg/GHSA-g7wq-wggw-vmhg.json"