Medium severity6.5GHSA Advisory· Published Sep 24, 2025· Updated Apr 15, 2026

CVE-2025-57351

Description

A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ts-fnsnpm	<= 13.1.3	—

Affected products

Tangshuang/Ts FnsGHSA
Range: <= 13.1.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-g7wq-wggw-vmhgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-57351ghsaADVISORY
github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351nvdWEB
github.com/tangshuang/ts-fns/issues/36nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000