MAL-2025-192796 Malicious code in estree-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 137bbad3650384f516e11cd21a91087a3521948ed4f6c1952af26ebb739f5e54 The package estree-util was found to contain malicious code...

Malicious code in estree-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 137bbad3650384f516e11cd21a91087a3521948ed4f6c1952af26ebb739f5e54 The package estree-util was found to contain malicious code...

CVE-2025-32014

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3...

@active-mdx/core (>=0.2.0 <=0.9.6), @allenlee/remark-mdx-frontmatter (=3.1.2) +289 more potentially affected by CVE-2025-32014 via estree-util-value-to-estree (>=1.3.0 <=3.3.2)

estree-util-value-to-estree NPM version =1.3.0, =0.2.0, =0.0.1-alpha.1, =0.1.0, =0.0.1, =0.0.6, =0.0.0-rc-20220721064837, =0.1.3, =0.1.3, =0.1.3, =0.1.3, =0.9.1, =1.0.0 and more Source cves: CVE-2025-32014 Source advisory: OSV:GHSA-F7F6-9JQ7-3RQJ...

GHSA-F7F6-9JQ7-3RQJ estree-util-value-to-estree allows prototype pollution in generated ESTree

Impact When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. Example: js import generate from 'astring' import valueToEstree from 'estree-util-value-to-estree' const estree = valueToEstree 'proto': const code...

CVE-2025-32014

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3...

CVE-2025-32014

CVE-2025-32014 affects estree-util-value-to-estree. When valueToEstree processes an object with a proto property, the generated ESTree could pollute prototypes; this is fixed in version 3.3.3. Remediation is to upgrade to 3.3.3+ or apply the provided workaround (avoid/strip proto properties). In ...

CVE-2025-32014 estree-util-value-to-estree allows prototype pollution in generated ESTree

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named proto, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3...

estree-util-value-to-estree 安全漏洞

estree-util-value-to-estree is a tool for converting JavaScript values to estree expressions by the individual developer Remco Haszing. A security vulnerability exists in estree-util-value-to-estree that stems from improper handling of the proto attribute, which could lead to prototype...

PT-2025-15241 · Unknown · Estree-Util-Value-To-Estree

Name of the Vulnerable Software and Affected Versions: estree-util-value-to-estree versions prior to 3.3.3 Description: The issue arises when estree-util-value-to-estree converts a JavaScript value to an ESTree expression. Specifically, when generating an ESTree from a value with a property named...