Vulnerability Description
@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution (PP) vulnerability. This is because the library is merging an untrusted object with an empty object, which by default the empty object has the prototype chain. This issue has been patched in version 1.0.9.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/denoland/std/commit/540662cfd6d71e969af292aa604ef4049dbe271b
- https://github.com/denoland/std/releases/tag/release-2025.08.13
- https://github.com/denoland/std/security/advisories/GHSA-crjp-8r9q-2j9r
- https://github.com/denoland/std/security/advisories/GHSA-crjp-8r9q-2j9r
FAQ
What is CVE-2025-55195?
CVE-2025-55195 is a vulnerability with a CVSS score of 7.3 (HIGH). @std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Po...
How severe is CVE-2025-55195?
CVE-2025-55195 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55195?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.