CVE-2025-57323
Description
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in mpregular's mp.addEventHandler allows attackers to inject properties into Object.prototype via crafted payloads, leading to denial of service.
Vulnerability
Overview mpregular, a small program development framework built on RegularJS [2], contains a Prototype Pollution vulnerability in its mp.addEventHandler function. The flaw arises because the function does not sanitize user-controlled event identifier strings before processing, allowing an attacker to inject properties onto Object.prototype via payloads such as "__proto__.pollutedProperty" [1][3].
Exploitation
An attacker can exploit this by supplying a crafted payload as the event identifier to mp.addEventHandler. No authentication or special network position is required if the application passes untrusted input to this function. The lack of input validation enables the attacker to modify the prototype chain of all objects in the runtime [3].
Impact
The minimum consequence is denial of service (DoS) due to unexpected behavior when polluted properties are accessed. However, prototype pollution can also lead to more severe outcomes such as property injection affecting application logic [1][3].
Mitigation
As of the disclosure date, no official fix or mitigation has been published for mpregular versions 0.2.0 and earlier. Users should avoid passing untrusted input to mp.addEventHandler or consider using alternative frameworks until a patch is available [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mpregularnpm | <= 0.2.0 | — |
Affected products
1- mpregular/mpregulardescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xx4g-r65p-3qf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57323ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/mpregular%400.2.0/index.jsghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57323ghsaWEB
News mentions
0No linked articles in our index yet.