CVE-2025-57326
Description
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in sassdoc-extras v2.5.1 and before allows DoS via crafted payload in byGroupAndType function.
Vulnerability
Overview A prototype pollution vulnerability exists in the byGroupAndType function of the sassdoc-extras package, versions 2.5.1 and earlier [1]. The function fails to properly sanitize user-supplied input, allowing an attacker to inject properties into Object.prototype [1][3]. This type of vulnerability is classified under CWE-1321 [3].
Exploitation
An attacker can exploit this by providing a crafted payload to the byGroupAndType function, which is used by SassDoc theme builders [2][3]. No authentication is required if the function is exposed to untrusted input. The attack surface depends on how the package is integrated into applications [2].
Impact
The minimum consequence is denial of service (DoS) [1]. However, prototype pollution can potentially lead to more severe impacts such as data integrity compromise or arbitrary code execution, depending on the application's use of the polluted prototype [3]. The official description notes DoS as the minimum, but other sources mention additional risks [1][3].
Mitigation
As of the publication date, no patch is available [3]. Users should avoid passing untrusted data to the byGroupAndType function or consider using alternative packages until a fix is released [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sassdoc-extrasnpm | <= 3.0.0 | — |
Affected products
2- sassdoc-extras/sassdoc-extrasdescription
- Range: <=2.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3mpm-jx38-9m8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57326ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/sassdoc-extras%402.5.1/index.jsghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57326ghsaWEB
News mentions
0No linked articles in our index yet.