CVE-2025-57319
Description
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. NOTE: the Supplier disputes this because the reporter only demonstrated access to properties by an internal utility function, and there is no means for achieving prototype pollution via the public API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
fast-redact <=3.5.0 has a disputed Prototype Pollution vulnerability in nestedRestore function, potentially allowing DoS via crafted payload.
Vulnerability
Description
CVE-2025-57319 describes a Prototype Pollution vulnerability in the nestedRestore function of the fast-redact package (version 3.5.0 and earlier). The function does not adequately validate user-supplied paths during object redaction operations, allowing an attacker to inject arbitrary properties into Object.prototype by providing a crafted payload with deeply nested paths [2][3].
Exploitation
Conditions
Exploitation requires the ability to call the fast-redact public API with specially crafted path definitions. The vulnerability is disputed by the supplier, who argues that the reported injection only affects an internal utility function and is not achievable through the public API [1][4]. However, if an application passes user-controlled path strings directly to fast-redact, an attacker may be able to trigger the prototype pollution.
Impact
Successful exploitation can lead to denial of service (DoS) as a minimum consequence, but may also enable data integrity compromises or cross-site scripting (XSS) in applications that rely on the library for sensitive data sanitization [2][3]. The actual impact may be limited as the supplier disputes the practical reachability of the vulnerability.
Mitigation
Status
As of September 2025, no official patch has been released for this vulnerability. The supplier disputes the CVE, and the issue remains open in the project's repository [4]. Users should avoid passing untrusted path input to fast-redact and consider alternative redaction libraries if the risk is deemed unacceptable.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-redactnpm | <= 3.5.0 | — |
Affected products
2<= 3.5.0+ 1 more
- (no CPE)range: <= 3.5.0
- (no CPE)range: <=3.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-ffrw-9mx8-89p8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57319ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.jsnvdWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319nvdWEB
- github.com/davidmarkclements/fast-redact/issues/75nvdWEB
News mentions
0No linked articles in our index yet.