CVE-2025-57321
Description
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in magix-combine-ex's addFileDepend function allows injecting Object.prototype properties via crafted payload, causing DoS or code execution.
Vulnerability
Overview A prototype pollution vulnerability exists in the magix-combine-ex package (versions through 1.2.10) within the util-deps.addFileDepend function. The root cause is insufficient sanitization of the riskyName parameter, allowing an attacker to specify properties like __proto__ to modify the Object prototype. [1][2]
Exploitation
An attacker can supply a crafted payload to the addFileDepend function, injecting arbitrary properties onto Object.prototype. This requires the ability to influence input to this function, typically through a malicious file or request. [2]
Impact
The minimum consequence is denial of service (DoS) due to unexpected behavior across the application. However, as with many prototype pollution flaws, the impact can escalate to arbitrary code execution or data integrity compromise, depending on how the polluted properties are used. [2]
Mitigation
Status No official patch has been released. The latest version (2.2.2) is reportedly also vulnerable. As a workaround, sanitize user inputs to remove keys like __proto__, constructor, and prototype. [2]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magix-combine-exnpm | <= 2.2.2 | — |
Affected products
1- magix-combine-ex/magix-combine-exdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cr7h-93fh-whwmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57321ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.jsghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321ghsaWEB
News mentions
0No linked articles in our index yet.