CRITICAL🇵🇱 Wersja polska

CVE-2025-57321

CVSS 9.8v3.1pub. 2025-09-24upd. 2025-10-17

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

🤖 AI Analysis
How it works

An attacker provides a specially crafted payload to the util-deps.addFileDepend function, which does not properly validate the keys passed to objects. As a result, it is possible to modify the global JavaScript prototype — Object.prototype — by injecting arbitrary properties into it. The polluted prototype is inherited by all objects in the application, which can lead to unpredictable runtime behavior and service failure (DoS). Publicly available PoC code confirming the possibility of exploiting the vulnerability can be found in the references.

Impact

An attacker can cause denial of service (DoS) by destabilizing the JavaScript environment. Depending on the application context, Prototype Pollution may also pave the way for privilege escalation or remote code execution.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until an update is applied, it is recommended to restrict the ability to pass untrusted input data to the util-deps.addFileDepend function.

Who is affected

The magix-combine-ex package in versions up to and including 1.2.10 (thru 1.2.10).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Magix Combine Ex Project Magix Combine Ex

    APP
    Magix-Combine-Ex Project
    ≤ 1.2.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References