CVE-2025-54803: 
JavaScript vulnerability analysis and mitigation

CVE-2025-54803 affects js-toml, a TOML parser for JavaScript that is fully compliant with the TOML 1.0.0 Spec. The vulnerability was discovered in versions below 1.0.2 and was disclosed on August 3, 2025. The issue is a prototype pollution vulnerability that allows remote attackers to add or modify properties of the global Object.prototype by parsing maliciously crafted TOML input (GitHub Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The issue received a CVSS v4.0 base score of 7.9 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H. The vulnerability exists in the way js-toml handles object creation and property assignment when parsing TOML input, specifically when processing specially crafted keys like proto (NVD).

While the js-toml library itself does not contain known vulnerable gadgets, this vulnerability can lead to severe security issues in applications using the library. The potential impacts include authentication bypass (if applications check for properties like user.isAdmin), Denial of Service (DoS), and in some cases, Remote Code Execution (RCE), depending on the application's logic and dependencies. Any application using an affected version of js-toml to parse untrusted input is vulnerable (GitHub Advisory).

The vulnerability has been patched in version 1.0.2 of js-toml. Users are strongly advised to upgrade to this version or later. If immediate upgrading is not possible, the only workaround is to ensure that any TOML input being parsed by js-toml comes from fully trusted sources and has been validated to not contain malicious keys (GitHub Advisory).