CVE-2025-57347CRITICAL 9.8EPSS p38.2%

CVE-2025-57347CVE-2025-57347

Description

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.2% · 2026-06-18T12:00:27Z
Published2025-09-24
Last modified2025-10-17

Underlying weaknesses· 1

CWE-1321

References

  1. https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347
  2. https://github.com/tbo47/dagre-es/issues/52

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-63704
CVE
CVE-2025-63703
CVE
CVE-2025-57321
CVE
CVE-2026-8657
CVE
CVE-2025-57350
CVE
CVE-2026-46509
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.