CVE-2025-57352
Description
A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
min-documentnpm | < 2.19.1 | 2.19.1 |
Affected products
1- Range: <2.19.0
Patches
1fe32e8da464cMerge pull request #55 from jameswassink/fix/prototype-pollution-removeAttributeNS
1 file changed · +3 −2
dom-element.js+3 −2 modified@@ -128,9 +128,10 @@ DOMElement.prototype.getAttributeNS = DOMElement.prototype.removeAttributeNS = function _Element_removeAttributeNS(namespace, name) { + // Safely access and delete the attribute var attributes = this._attributes[namespace]; - if (attributes) { - delete attributes[name] + if (attributes && Object.prototype.hasOwnProperty.call(attributes, name)) { + delete attributes[name]; } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rx8g-88g5-qh64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57352ghsaADVISORY
- github.com/Raynos/min-document/commit/fe32e8da464cef622528725f647029a8fd7d95a6ghsaWEB
- github.com/Raynos/min-document/issues/54nvdWEB
- github.com/Raynos/min-document/pull/55ghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57352nvdWEB
News mentions
0No linked articles in our index yet.