CVE-2025-32014: 
JavaScript vulnerability analysis and mitigation

CVE-2025-32014 affects estree-util-value-to-estree, a JavaScript library that converts JavaScript values to ESTree expressions. The vulnerability was discovered and disclosed on April 6, 2025, affecting versions prior to 3.3.3. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead, leading to potential prototype pollution issues (GitHub Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). It has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The issue occurs when the library processes objects containing proto properties, where instead of treating it as a regular property, it generates code that modifies the object's prototype (NVD).

The vulnerability could lead to prototype pollution, which may allow attackers to modify object prototypes and potentially execute unintended code. This could affect the integrity and security of applications using the affected versions of the library (GitHub Advisory).

The vulnerability has been fixed in version 3.3.3 of estree-util-value-to-estree. For users who cannot immediately update, two workarounds are available: 1) If controlling the input, avoid specifying properties named proto, or 2) Strip any properties named proto before passing data to valueToEstree (GitHub Advisory).