CVE-2025-26278
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-09-26

Assigner: MITRE

Description
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-09-26
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-26278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dref dref 0.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-26278 is a Prototype Pollution vulnerability in the dref package version 0.1.2, specifically in the lib.set function. It allows an attacker to supply a crafted payload that modifies the global Object prototype by adding or changing properties. This manipulation can lead to unexpected behavior in applications using this library, primarily causing a Denial of Service (DoS). In some cases, if the polluted properties affect sensitive Node.js APIs like exec or eval, it could escalate to remote code execution or other injection attacks. [1]

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) in applications using the vulnerable dref library. Additionally, if the polluted prototype properties influence sensitive Node.js APIs such as exec or eval, an attacker could potentially execute arbitrary commands within your application's context, leading to remote code execution or other injection-based attacks. [1]

Detection Guidance

Detection can be performed by checking if the global Object prototype has been polluted with unexpected properties. For example, in a Node.js environment, you can run commands to inspect the prototype chain for the presence of suspicious keys such as 'pollutedKey'. A sample command in a Node.js REPL or script would be: `console.log({}.__proto__.pollutedKey);` If this outputs the value '123' or any unexpected value, it indicates prototype pollution. Additionally, reviewing usage of the dref library version 0.1.2 and monitoring for unusual behavior or crashes related to the lib.set function can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Avoid using dref version 0.1.2 or upgrade to a patched version if available. 2) Sanitize and validate all inputs that may be passed to the lib.set function to prevent crafted payloads targeting Object.prototype. 3) If upgrading is not possible, implement runtime checks to detect and remove polluted properties from Object.prototype, such as deleting suspicious keys like 'pollutedKey'. 4) Monitor application logs for signs of Denial of Service or unexpected behavior related to prototype pollution. 5) Limit the use of sensitive Node.js APIs that could be exploited if prototype pollution occurs. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-26278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart