CRITICAL🇵🇱 Wersja polska

CVE-2025-63703

CVSS 9.8v3.1pub. 2026-05-07upd. 2026-05-08

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

🤖 AI Analysis
How it works

Prototype Pollution (CWE-1321) involves the ability to modify the base prototype of a JavaScript object (Object.prototype) through crafted input data. In the case of parse-ini, the vulnerable function in the index.js file processes data from an INI file without proper key validation, allowing an attacker to inject properties into the prototype through a specially constructed key (e.g., __proto__). The modified prototype can then affect the behavior of other objects throughout the Node.js application.

Impact

An attacker can modify properties inherited by all objects in the application, which may lead to bypassing security mechanisms, disclosure of sensitive data, data integrity violations, or — depending on the application context — remote code execution (RCE) or denial of service.

Mitigation & patch

Apply patches available from the vendor according to the references. If a secure version of the package is not available, it is recommended to replace parse-ini with an alternative, actively maintained package for parsing INI files. It is also worth implementing validation and sanitization of input data before processing.

Who is affected

The npm package parse-ini version 1.0.6; Node.js applications using this package to process INI files.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References