CVE-2025-57319 (High) detected in fast-redact-3.5.0.tgz - autoclosed #10576
Description
CVE-2025-57319 - High Severity Vulnerability
Vulnerable Library - fast-redact-3.5.0.tgz
Library home page: https://registry.npmjs.org/fast-redact/-/fast-redact-3.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- elastic-apm-node-4.11.0.tgz (Root Library)
- pino-8.21.0.tgz
- ❌ fast-redact-3.5.0.tgz (Vulnerable Library)
- pino-8.21.0.tgz
Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a
Found in base branch: main
Vulnerability Details
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. NOTE: the Supplier disputes this because the reporter only demonstrated access to properties by an internal utility function, and there is no means for achieving prototype pollution via the public API.
Publish Date: 2025-09-24
URL: CVE-2025-57319
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High