CRITICAL🇵🇱 Wersja polska

CVE-2025-57347

CVSS 9.8v3.1pub. 2025-09-24upd. 2025-10-17

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

🤖 AI Analysis
How it works

An attacker supplies specially crafted input data containing reserved property names, such as '__proto__', which are passed to the addConflict function without proper sanitization. The function assigns these values directly to object properties, resulting in modification of the global JavaScript Object prototype. After prototype poisoning, all objects in the application inherit the modified properties, which can cause unexpected application behavior, processing errors, or execution of injected code at locations where the poisoned properties are later read or invoked.

Impact

An attacker can cause a denial of service (DoS), trigger unexpected application behavior, or — under favorable conditions — execute arbitrary code on the server. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction (CVSS 9.8).

Mitigation & patch

Update the 'dagre-d3-es' package to version 7.0.11 or later. According to the description, the vulnerability remained unpatched at the time of disclosure — monitor the vendor's repository (https://github.com/tbo47/dagre-es/issues/52) and apply the patch immediately upon availability. As a temporary workaround, restrict the ability to pass untrusted input data to components using the 'bk' module.

Who is affected

The npm package 'dagre-d3-es' (Tbo47) in versions earlier than 7.0.11; the vulnerability was confirmed in version 7.0.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tbo47 Dagre D3 Es

    APP
    Tbo47
    7.0.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References