CVE-2025-57319
Prototype Pollution vulnerability in fast-redact (npm)
What is CVE-2025-57319 About?
This is a Prototype Pollution vulnerability found in `fast-redact` versions up to 3.5.0. It enables attackers to inject properties into `Object.prototype`, potentially leading to denial of service or other unexpected behavior across the application. Exploitation involves supplying a crafted payload that leverages the `nestedRestore` function.
Affected Software
Technical Details
The nestedRestore function within fast-redact is vulnerable to Prototype Pollution. An attacker can craft a specific payload that, when processed by this function, allows for the injection of arbitrary properties onto Object.prototype. By manipulating Object.prototype, an attacker can introduce or modify properties that affect all objects, leading to application-wide side effects, including runtime errors or denial of service conditions due to unexpected property behavior.
What is the Impact of CVE-2025-57319?
Successful exploitation may allow attackers to cause a denial of service, corrupt application data, or potentially achieve remote code execution depending on the application's use of object properties.
What is the Exploitability of CVE-2025-57319?
Exploitation requires crafting a specific payload that leverages weak points in the nestedRestore function. The complexity is moderate, as it requires an understanding of JavaScript prototype chains and how fast-redact processes nested objects during redaction. No authentication is explicitly required, but the attacker must be able to provide input that is processed by the vulnerable function. This can be a remote attack if the application processes untrusted data submitted by a user. The main risk factor is an application using fast-redact to process user-controlled data that might contain specially crafted object structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-57319?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-57319
- https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.js
- https://github.com/davidmarkclements/fast-redact/issues/75
- https://osv.dev/vulnerability/GHSA-ffrw-9mx8-89p8
- https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319
- https://github.com/davidmarkclements/fast-redact
- https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.js
- https://github.com/davidmarkclements/fast-redact/issues/75
- https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319
What are Similar Vulnerabilities to CVE-2025-57319?
Similar Vulnerabilities: CVE-2020-28277 , CVE-2019-10744 , CVE-2020-7712 , CVE-2020-7798 , CVE-2021-23639
