CVE-2025-57328
Description
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in toggle-array ≤1.0.1 enables attackers to inject properties on Object.prototype via crafted payloads, leading to denial of service.
Vulnerability
Overview
The toggle-array package (versions 1.0.1 and earlier) contains a Prototype Pollution vulnerability in the enable and disable functions. The vulnerability allows an attacker to inject arbitrary properties onto Object.prototype by supplying a specially crafted payload [1][3]. This is classified under CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') [3].
Attack
Vector
The attack is performed by passing a malicious payload to the enable or disable functions. The package's design enables or disables a property on objects at a specified index, but insufficient input validation allows the attacker to manipulate the prototype chain. No authentication is required, and the attack can be executed remotely if the application processes user-controlled input through these functions [1][2].
Impact
Successful exploitation results in Prototype Pollution, which can cause denial of service (DoS) as the minimum consequence. Depending on the application's logic, the attacker may also achieve property injection that affects all objects in the runtime, potentially leading to more severe outcomes such as arbitrary code execution or data manipulation [1][3].
Mitigation
As of the publication date, no patch has been released for toggle-array. Users should avoid using the package with untrusted input or consider replacing it with an alternative that properly sanitizes input. The vulnerability is tracked in public proof-of-concept repositories [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
toggle-arraynpm | <= 1.0.1 | — |
Affected products
2- toggle-array/toggle-arraydescription
- Range: <=1.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-34q3-8x9v-j957ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57328ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/toggle-array%401.0.1/index.jsghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57328ghsaWEB
News mentions
0No linked articles in our index yet.