Cyber Resilience

CVE-2025-63704

Critical

Published: 07 May 2026

Published
07 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 37.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-63704 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Npmjs (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Npmjs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References