CVE-2025-57347

Name of the Vulnerable Software and Affected Versions dagre-d3-es versions prior to 7.0.11

Description A flaw exists in the 'dagre-d3-es' Node.js package within the 'bk' module’s addConflict() function. The issue stems from inadequate input sanitization during property assignment, allowing prototype pollution. Attackers can inject malicious input values, such as proto, to modify the JavaScript Object prototype chain. Successful exploitation may result in denial of service, unexpected application behavior, or arbitrary code execution when polluted properties are accessed or executed.

Recommendations Update to dagre-d3-es version 7.0.11 or later.