We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-3197



Description

Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

Reserved 2025-04-03 | Published 2025-04-04 | Updated 2025-04-04 | Assigner snyk


MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:PHIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

Prototype Pollution

Credits

Miguel Monteiro

References

security.snyk.io/vuln/SNYK-JS-EXPANDOBJECT-5821390

gist.github.com/...monteiro/d8f66af61d14e06338b688f90c4dfa7c

github.com/...linkert/expand-object/blob/master/index.js#L13

cve.org (CVE-2025-3197)

nvd.nist.gov (CVE-2025-3197)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-3197

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.