CVE-2025-57321
Published: 24 September 2025
Summary
CVE-2025-57321 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Magix-Combine-Ex Project Magix-Combine-Ex. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely patching or replacement of vulnerable software like magix-combine-ex versions through 1.2.10 to remediate the prototype pollution flaw.
Enables identification of CVE-2025-57321 in JavaScript dependencies via periodic vulnerability scanning of system components.
Requires validation of crafted payloads supplied to functions like util-deps.addFileDepend to block prototype pollution exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The prototype pollution vulnerability in magix-combine-ex enables attackers to inject properties into Object.prototype via crafted payloads, causing denial of service through application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
Deeper analysisAI
CVE-2025-57321, published on 2025-09-24, is a Prototype Pollution vulnerability (CWE-1321) in the util-deps.addFileDepend function of the magix-combine-ex JavaScript package, affecting all versions through 1.2.10. The flaw allows attackers to inject arbitrary properties onto Object.prototype by supplying a crafted payload. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By delivering a specially crafted payload, they can pollute the Object prototype, with denial of service (DoS) as the minimum consequence and potential for high impacts on confidentiality, integrity, and availability.
Proof-of-concept exploits demonstrating the prototype pollution are available on GitHub, including a script targeting magix-combine-ex 1.2.10 at https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js and a dedicated repository at https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321. No vendor advisories or patches are referenced in available information.
Details
- CWE(s)