Description
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 5.0.0-beta.19
References
Related Issues
- min-document vulnerable to prototype pollution - CVE-2025-57352
- @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation - CVE-2025-53626
- node-gettext vulnerable to Prototype Pollution - CVE-2024-21528
- mpregular vulnerable to prototype pollution - CVE-2025-57323
You might also like:
- Tags:
- npm
- node-cube
Anything's wrong? Let us know Last updated on September 25, 2025