CVE-2025-57347 — CRITICAL (9.8)

Vulnerability Description

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tbo47	Dagre-D3-Es	7.0.9

Related Weaknesses (CWE)

CWE-1321

References

https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CThird Party Advisory
https://github.com/tbo47/dagre-es/issues/52Issue Tracking

FAQ

What is CVE-2025-57347?

CVE-2025-57347 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during prope...

How severe is CVE-2025-57347?

CVE-2025-57347 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-57347?

Check the references section above for vendor advisories and patch information. Affected products include: Tbo47 Dagre-D3-Es.