CVE-2025-57320

What is the vulnerability? The setData and deleteData functions in json-schema-editor-visual versions through 1.1.1 fail to properly sanitize property paths, allowing an attacker to manipulate properties on Object.prototype. This is a classic Prototype Pollution vulnerability (CWE-1321) [1][3]. The issue lies in insufficient validation of nested property references such as __proto__ and constructor.prototype [3].

How is it exploited? An attacker supplies a crafted JSON payload with malicious property paths to the schema editor. Since the functions do not restrict access to the prototype chain, the payload can inject or delete properties on the global Object.prototype [1]. No authentication is required if the application processes user-supplied schema data [3].

What is the impact? The minimal consequence is denial of service (DoS) due to runtime instability or crashes [1]. However, depending on the application logic, this could lead to unexpected behavior or privilege escalation if prototype properties affect security checks [3].

Mitigation status The vulnerability affects versions up to 1.1.1; upgrading to version 2.0.0 or later is recommended [3]. The package is available on GitHub [2]. No official patch is mentioned, but updating to the latest version mitigates the issue.