CVE-2025-3197

Name of the Vulnerable Software and Affected Versions expand-object versions 0.0.0 and later

Description The issue concerns a Prototype Pollution flaw in the expand() function located in index.js. This function is used to expand a given string into an object, but it does not check the provided keys for sensitive properties like proto, allowing a nested property to be set. This can be exploited by attackers.

Recommendations For versions 0.0.0 and later of expand-object, consider disabling the expand() function in index.js until a patch is available to prevent potential exploitation. Restrict access to sensitive properties like proto to minimize the risk of Prototype Pollution.