Low severityNVD Advisory· Published Sep 24, 2025· Updated Sep 25, 2025

CVE-2025-57348

Description

The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A prototype pollution vulnerability in node-cube (prior to 5.0.0) allows attackers to inject properties into built-in object prototypes, leading to denial of service or arbitrary code execution.

The node-cube package, used for modularizing front-end assets, is vulnerable to prototype pollution (CWE-1321) prior to version 5.0.0. The flaw originates from improper validation of user-supplied input during resource initialization, specifically within the setRequires method of the cycle_check module [3]. This allows attackers to arbitrarily modify the prototype chain of built-in JavaScript objects [2].

Exploitation requires no authentication—an attacker can supply malicious input to the package's resource initialization process, which is commonly exposed in browser environments. By injecting properties into Object.prototype, the attacker can affect all objects in the application [3].

The impact includes denial of service (DoS) through crash or data corruption, as well as arbitrary code execution in the context of the Node.js runtime [2][3]. Public proof-of-concept code is available, demonstrating the exploitability of the vulnerability [4].

As of the public disclosure, no official fix has been released for this vulnerability. All versions up to and including 5.0.0-beta.19 are affected [2][3]. Users are advised to monitor the repository for patches or consider alternative packages until a fix is available.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
node-cubenpm	<= 5.0.0-beta.19	—

Affected products

node-cube/node-cubedescription
node-cube/node-cubellm-create
Range: <=5.0.0-beta.19

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8v65-5fw5-23wjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-57348ghsaADVISORY
github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57348ghsaWEB
github.com/node-cube/cube/issues/153ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000