Cyber Resilience

CVE-2025-57347

Critical

Published: 24 September 2025

Published
24 September 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57347 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Tbo47 Dagre-D3-Es. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57347 is a prototype pollution vulnerability in the 'dagre-d3-es' Node.js package, specifically within the 'bk' module's addConflict function. This flaw arises from the failure to properly sanitize user-supplied input during property assignment operations, enabling attackers to inject malicious values such as "__proto__" and modify the JavaScript Object prototype chain. The issue affects versions prior to 7.0.11.

Attackers can exploit this vulnerability remotely without authentication or user interaction, requiring only low complexity as reflected in its CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-1321. Exploitation allows unauthorized prototype chain modifications, potentially resulting in denial of service conditions, unexpected application behavior, or arbitrary code execution in contexts where polluted properties are later accessed or executed.

Published on 2025-09-24, the vulnerability remains unpatched at the time of disclosure. Key references include a proof-of-concept repository at https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347 and a related GitHub issue at https://github.com/tbo47/dagre-es/issues/52, which discuss the flaw and may outline mitigation strategies.

EU & UK References

Vulnerability details

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious…

more

input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

The prototype pollution vulnerability enables remote exploitation of public-facing applications using the affected Node.js package via unsanitized user input, leading to denial of service or potential arbitrary code execution.

CVEs Like This One

CVE-2026-24888Shared CWE-1321
CVE-2026-28794Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-32878Shared CWE-1321
CVE-2026-34221Shared CWE-1321
CVE-2024-38988Shared CWE-1321
CVE-2026-33994Shared CWE-1321
CVE-2026-44483Shared CWE-1321
CVE-2026-29063Shared CWE-1321
CVE-2026-42232Shared CWE-1321

Affected Assets

tbo47
dagre-d3-es
7.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the prototype pollution vulnerability by requiring timely remediation through updating the vulnerable 'dagre-d3-es' package to version 7.0.11 or later.

detect

Enables proactive identification of the CVE-2025-57347 vulnerability in Node.js dependencies via regular vulnerability scanning of third-party packages.

prevent

Mitigates the root cause of unsanitized user input in property assignments by enforcing validation and sanitization at the application level before passing to the affected library function.

References