CVE-2025-57354 in Node.jsinfo

Summary

by MITRE • 09/24/2025

A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/24/2025

The vulnerability identified as CVE-2025-57354 resides within the counterpart library for Node.js and browser environments, representing a critical prototype pollution weakness that stems from inadequate input sanitization during translation key processing. This flaw affects all versions prior to 0186 and demonstrates how seemingly innocuous translation functionality can become a vector for severe security compromises. The root cause lies in the library's failure to properly validate or neutralize special characters in translation key inputs, creating an environment where malicious actors can manipulate the library's behavior through carefully crafted input sequences.

The technical implementation of this vulnerability exploits the fundamental nature of JavaScript prototypes and demonstrates a classic prototype pollution attack pattern that aligns with CWE-471. When attackers supply translation keys containing prototype chain elements such as _proto_ or constructor, the library processes these inputs without adequate validation, allowing the malicious properties to be injected directly into the JavaScript Object prototype. This occurs specifically through the first parameter of the translate method when combined with certain separator configurations that bypass the library's input validation mechanisms. The attack vector leverages the fact that JavaScript's prototype chain inheritance can be manipulated through direct property assignment, particularly when the library fails to sanitize user-controlled inputs before processing them.

The operational impact of this vulnerability extends beyond simple functionality manipulation and can result in severe consequences including denial-of-service conditions and potential remote code execution within vulnerable applications. When prototype pollution occurs, it can affect the entire application's behavior by modifying core object properties and methods that are inherited by all instances. This creates a cascading effect where seemingly benign translation operations can alter fundamental application behavior, potentially leading to arbitrary code execution if the polluted prototype properties are subsequently used in contexts that evaluate or execute code. The vulnerability's severity is amplified by the fact that many applications rely on translation libraries for internationalization, making this attack surface particularly widespread.

Applications using the counterpart library are particularly vulnerable when they process user-controlled translation keys without proper input validation, creating an environment where attackers can exploit the prototype pollution to gain unauthorized access or disrupt application functionality. The ATT&CK framework categorizes this vulnerability under T1059.007 for Scripting Languages and T1211 for Exploitation for Privilege Escalation, as the prototype pollution can be leveraged to escalate privileges or execute arbitrary code within the application context. Organizations should prioritize updating to version 0.18.6 or later, which implements proper input sanitization and validation mechanisms to prevent malicious prototype chain manipulation. Additionally, implementing proper input validation at multiple layers of the application architecture, including sanitizing translation keys before they reach the library, provides defense-in-depth protection against similar vulnerabilities that may arise in other components of the system.

Responsible

MITRE

Reservation

08/17/2025

Disclosure

09/24/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00452

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!