Skip to content

react-vis-1.12.1.tgz: 1 vulnerabilities (highest severity is: 5.3) #374

New issue
New issue
Open
Open
react-vis-1.12.1.tgz: 1 vulnerabilities (highest severity is: 5.3)#374
Assignees
dzane17
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Sep 30, 2025
Vulnerable Library - react-vis-1.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 70787873ab3d4124eb5ab3580b548f560a17a0d3

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (react-vis version) Remediation Possible**
CVE-2025-57352 Medium 5.3 min-document-2.19.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-57352

Vulnerable Library - min-document-2.19.0.tgz

A minimal DOM implementation

Library home page: https://registry.npmjs.org/min-document/-/min-document-2.19.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • react-vis-1.12.1.tgz (Root Library)
    • global-4.4.0.tgz
      • min-document-2.19.0.tgz (Vulnerable Library)

Found in HEAD commit: 70787873ab3d4124eb5ab3580b548f560a17a0d3

Found in base branch: main

Vulnerability Details

A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the proto property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-24

URL: CVE-2025-57352

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Metadata

Metadata

Assignees

Labels

Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions