EXECUTIVE SUMMARY:
CVE-2026-45325 with a CVSS score of 8.2 is a prototype pollution vulnerability in the npm package @tmlmobilidade/utils, specifically affecting versions prior to 20260509.0340.15. This vulnerability occurs when the setValueAtPath function in the package allows an attacker to inject malicious data into the target object's prototype chain, potentially leading to unintended consequences and potentially allowing for arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious input that is processed by the setValueAtPath function, requiring only a low level of access, such as the ability to inject data into the targeted object. Successful exploitation of this vulnerability grants the attacker the capability to manipulate the target object's prototype chain and potentially execute arbitrary code, resulting in a high business impact and significant consequences, including the potential for unauthorized data access, modification, or destruction, and potential system compromise. Prerequisites for exploitation include the presence of the vulnerable package version in the affected application.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45325 with a CVSS score of 8.2 is a prototype pollution vulnerability in the npm package @tmlmobilidade/utils, specifically affecting versions prior to 20260509.0340.15. This vulnerability occurs when the setValueAtPath function in the package allows an attacker to inject malicious data into the target object's prototype chain, potentially leading to unintended consequences and potentially allowing for arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious input that is processed by the setValueAtPath function, requiring only a low level of access, such as the ability to inject data into the targeted object. Successful exploitation of this vulnerability grants the attacker the capability to manipulate the target object's prototype chain and potentially execute arbitrary code, resulting in a high business impact and significant consequences, including the potential for unauthorized data access, modification, or destruction, and potential system compromise. Prerequisites for exploitation include the presence of the vulnerable package version in the affected application.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-cmxg-94mg-jq94