Cyber Resilience

CVE-2025-57321

Critical

Published: 24 September 2025

Published
24 September 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 37.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57321 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Magix-Combine-Ex Project Magix-Combine-Ex. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57321, published on 2025-09-24, is a Prototype Pollution vulnerability (CWE-1321) in the util-deps.addFileDepend function of the magix-combine-ex JavaScript package, affecting all versions through 1.2.10. The flaw allows attackers to inject arbitrary properties onto Object.prototype by supplying a crafted payload. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By delivering a specially crafted payload, they can pollute the Object prototype, with denial of service (DoS) as the minimum consequence and potential for high impacts on confidentiality, integrity, and availability.

Proof-of-concept exploits demonstrating the prototype pollution are available on GitHub, including a script targeting magix-combine-ex 1.2.10 at https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js and a dedicated repository at https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321. No vendor advisories or patches are referenced in available information.

EU & UK References

Vulnerability details

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The prototype pollution vulnerability in magix-combine-ex enables attackers to inject properties into Object.prototype via crafted payloads, causing denial of service through application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2024-57063Shared CWE-1321
CVE-2024-57086Shared CWE-1321
CVE-2024-57071Shared CWE-1321
CVE-2024-57084Shared CWE-1321
CVE-2025-57350Shared CWE-1321
CVE-2024-57064Shared CWE-1321
CVE-2025-70956Shared CWE-1321
CVE-2024-57065Shared CWE-1321
CVE-2026-32886Shared CWE-1321
CVE-2024-57078Shared CWE-1321

Affected Assets

magix-combine-ex project
magix-combine-ex
≤ 1.2.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely patching or replacement of vulnerable software like magix-combine-ex versions through 1.2.10 to remediate the prototype pollution flaw.

detect

Enables identification of CVE-2025-57321 in JavaScript dependencies via periodic vulnerability scanning of system components.

prevent

Requires validation of crafted payloads supplied to functions like util-deps.addFileDepend to block prototype pollution exploitation.

References