CVE-2025-57319: 
JavaScript vulnerability analysis and mitigation

A Prototype Pollution vulnerability was discovered in the fast-redact package (CVE-2025-57319), affecting version 3.5.0 and earlier. The vulnerability was disclosed on September 24, 2025, and is located in the nestedRestore function. Fast-redact is a package designed to provide fast object redaction capabilities. Notably, this vulnerability is currently disputed by the supplier (NVD).

The vulnerability exists in the nestedRestore function of fast-redact, where attackers can potentially inject properties on Object.prototype through a crafted payload. The CVSS v3.1 base score has been rated as 7.5 (HIGH) by CISA-ADP, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. However, Red Hat has assessed it with a lower CVSS score of 4.2, using the vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (Red Hat).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks, which is considered the minimum consequence of successful exploitation. The supplier disputes the severity, stating that the reporter only demonstrated access to properties through an internal utility function, with no means of achieving prototype pollution via the public API (NVD).

Currently, mitigation options are limited. According to Red Hat's assessment, mitigation for this issue is either not available or the currently available options do not meet their Product Security criteria for ease of use, deployment, applicability to widespread installation base, or stability (Red Hat).

The vulnerability has generated discussion within the security community, particularly due to the dispute between the initial report and the supplier's response. An issue has been opened on the fast-redact GitHub repository to address the vulnerability, indicating active engagement from the development community (Github Issue).