CRITICAL🇵🇱 Wersja polska

CVE-2025-49223

CVSS 9.8v3.1pub. 2025-06-04upd. 2025-06-06

billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

🤖 AI Analysis
How it works

The attack involves injecting arbitrary properties into the prototype of a JavaScript object through the vulnerable generate function. The prototype pollution mechanism (CWE-1321) allows an attacker to modify global JavaScript objects, which can lead to changes in application behavior in ways not intended by developers. Since the attack vector is network-based, it does not require local access or special privileges, which significantly increases the risk of vulnerability exploitation.

Impact

An attacker can execute arbitrary code in the context of the application (RCE) or cause its unavailability by triggering a DoS error. In both cases, loss of confidentiality, integrity, and availability of data is possible.

Mitigation & patch

billboard.js should be updated as soon as possible to version 3.15.1 or newer, in which the vulnerability has been removed. Detailed information is available at: https://cve.naver.com/detail/cve-2025-49223.html

Who is affected

Naver billboard.js in all versions before 3.15.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Naver Billboard.js

    APP
    Naver
    < 3.15.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
References

Related vulnerabilities

CVE-2026-1513MEDIUM6.1ten sam produkt

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization dur...

CVE-2024-28212CRITICAL9.8PL ✓ten sam vendor

RCE w Naver nGrinder — niebezpieczna deserializacja przez SnakeYAML

CVE-2024-28213CRITICAL9.8PL ✓ten sam vendor

RCE przez niebezpieczną deserializację obiektów Java w Naver nGrinder

CVE-2024-28211CRITICAL9.8PL ✓ten sam vendor

Naver nGrinder — RCE przez złośliwy serwer JMX/RMI

CVE-2021-33592CRITICAL9.8ten sam vendor

NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml fi...