CVE-2025-48054: 
JavaScript vulnerability analysis and mitigation

CVE-2025-48054 affects Radashi, a TypeScript utility toolkit. The vulnerability was discovered in the set function of versions prior to 12.5.1, where improper input validation could lead to prototype pollution. The issue was disclosed and patched on May 23, 2025 (GitHub Advisory).

The vulnerability stems from insufficient validation in the set function, which could allow modification of object prototypes through specially crafted path arguments. The issue is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The vulnerability has been assigned a CVSS v4.0 score of 6.8 MEDIUM with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

If exploited, this vulnerability could allow attackers to modify the prototype of all objects in the JavaScript runtime. This can lead to unexpected behavior, denial of service, or potentially remote code execution in specific scenarios (GitHub Advisory).

The vulnerability has been patched in version 12.5.1 with the implementation of a new isDangerousKey helper function that prevents the use of proto, prototype, or constructor as keys in the path. For users unable to upgrade, a workaround involves sanitizing the path argument to ensure no part of the path string contains these dangerous keys (GitHub Advisory, GitHub Commit).