CVE-2025-57347 (CNNVD-202509-3798)
中文标题:
dagre-d3-es 安全漏洞
英文标题:
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the '...
漏洞描述
中文描述:
dagre-d3-es是Teebo个人开发者的一个js库。 dagre-d3-es 7.0.11之前版本存在安全漏洞,该漏洞源于bk模块的addConflict函数未正确清理用户输入,可能导致原型污染攻击。
英文描述:
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| tbo47 | dagre-d3-es | 7.0.9 | - | - |
cpe:2.3:a:tbo47:dagre-d3-es:7.0.9:*:*:*:*:node.js:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-57347 |
2025-11-11 15:23:30 | 2025-11-11 07:40:44 |
| NVD | nvd_CVE-2025-57347 |
2025-11-11 15:01:04 | 2025-11-11 07:48:31 |
| CNNVD | cnnvd_CNNVD-202509-3798 |
2025-11-11 15:12:58 | 2025-11-11 08:00:13 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-3798
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']