Bug 2397904 (CVE-2025-57347) - CVE-2025-57347 dagre-d3-es: dagre-d3-es prototype pollution
Summary: CVE-2025-57347 dagre-d3-es: dagre-d3-es prototype pollution
Keywords:
Status: NEW
Alias: CVE-2025-57347
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2399822 2399824 2399834 2399835 2399826 2399828 2399830 2399832 2399833
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-24 19:01 UTC by OSIDB Bzimport
Modified: 2025-10-24 07:59 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github tbo47 dagre-es issues 52 0 None open Prototype Pollution in dagre-d3-es Prior to 7.0.11 2025-09-27 07:37:28 UTC

Description OSIDB Bzimport 2025-09-24 19:01:18 UTC 
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.
Comment 2 Lumír Balhar 2025-09-27 07:37:29 UTC 
The issue is not fixed yet.
Comment 3 Lumír Balhar 2025-10-24 07:59:11 UTC 
The issue has been fixed in https://github.com/tbo47/dagre-es/pull/54 and released today in 7.0.13.
Note You need to log in before you can comment on or make changes to this bug.