CVE-2025-57327

Vulnerability

Overview

The spmrc package, which provides the rc manager for spm, contains a Prototype Pollution vulnerability in its set() and config() functions. The root cause is improper handling of property assignments when processing user-supplied input containing nested property paths such as __proto__.pollutedProp. This allows attackers to inject arbitrary properties into the prototype of built-in JavaScript objects [1][3].

Exploitation

An attacker can exploit this by providing a crafted payload to the set() or config() method of spmrc. These functions are designed to set configuration values using dot-separated keys (e.g., user.username), but they do not sanitize or block prototype-related keys. Any application that passes untrusted input to these functions is vulnerable. No authentication or special network position is required beyond the ability to supply input to the affected methods [2][3].

Impact

The minimum consequence is denial of service (DoS) due to unexpected behavior of objects that rely on unmodified prototypes. In contexts where prototype pollution can be leveraged further, arbitrary code execution may be possible, as the polluted prototype can affect all objects in the runtime [1][3].

Mitigation

Status

As of the publication date, no official patch has been released for spmrc version 1.2.0 or earlier. Users are advised to avoid passing untrusted input to the set() and config() functions, or to consider replacing the package with an alternative that properly sanitizes prototype keys [1][3].