CVE-2025-54803: 
JavaScript vulnerability analysis and mitigation

js-toml, a TOML parser for JavaScript that is fully compliant with the TOML 1.0.0 Spec, was found to contain a prototype pollution vulnerability (CVE-2025-54803) in versions below 1.0.2. The vulnerability was discovered and responsibly disclosed by security researcher siunam321 on August 3, 2025, and was patched in version 1.0.2 released on August 4, 2025. The vulnerability affects all versions of js-toml prior to version 1.0.2 (GitHub Advisory).

The vulnerability allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input containing specially crafted keys like proto. The issue has been assigned a CVSS v4.0 base score of 7.9 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H. The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) (NVD, GitHub Advisory).

While the js-toml library itself does not contain known vulnerable gadgets, this vulnerability can lead to severe security issues in applications using the library. The most critical impact is potential authentication bypass if the application checks for property existence for authorization purposes (e.g., user.isAdmin). Other potential impacts include Denial of Service (DoS) or Remote Code Execution (RCE), depending on the application's logic and dependencies. The severity of impact varies based on how the application handles object properties (GitHub Advisory).

The vulnerability has been patched in version 1.0.2 of js-toml. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, the only workaround is to ensure that any TOML input being passed to the js-toml library comes from a fully trusted source and has been validated to not contain malicious keys. The fix was implemented by creating safe objects without prototype pollution vulnerability using Object.create(null) (GitHub Commit).