CVE-2025-57328: 
JavaScript vulnerability analysis and mitigation

A Prototype Pollution vulnerability exists in the toggle-array package version 1.0.1 and earlier. The vulnerability is identified as CVE-2025-57328 and was disclosed on September 24, 2025. The vulnerability affects the enable and disable functions of the package, which is designed to enable a property on an object at a specified index while disabling the property on all other objects (NVD).

The vulnerability exists in the enable and disable functions of toggle-array v1.0.1 and earlier versions. Attackers can inject properties on Object.prototype by supplying a crafted payload. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue has been classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) (NVD).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks, which is noted as the minimum consequence. The vulnerability allows attackers to manipulate the Object.prototype through property injection, which can affect the entire application's behavior and stability (NVD).

No official patches or mitigations have been publicly announced at the time of this report. Users are advised to monitor for updates from the package maintainers and consider implementing input validation as a temporary workaround (NVD).