Description
npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
Published: 2026-05-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in npm package parse-ini version 1.0.6 allows prototype pollution because the function in index.js does not properly sanitize input data. This flaw enables an attacker to inject malicious properties into the prototypes of standard JavaScript objects, which can alter application behavior, corrupt data structures, or lead to arbitrary code execution. The weakness matches the pattern of prototype manipulation weaknesses.

Affected Systems

Any Node.js application that incorporates parse-ini v1.0.6 or earlier is potentially impacted. Projects that read or parse .ini configuration files supplied from untrusted sources are at particular risk, because they may expose the vulnerable function to external input without validation.

Risk and Exploitability

The EPSS score is < 1%, and the CVSS score is 9.8. The vulnerability is not listed in the CISA KEV catalog. Prototype pollution is widely regarded as a high‑severity issue that can be exploited when an application accepts untrusted data. Because the vulnerability resides in a library commonly used for configuration parsing, an attacker could craft a specially formatted .ini file or query string to trigger the vulnerability in a live deployment. Observers must consider the high CVSS score and the fact that the flaw can be triggered by user‑supplied data to assess risk.

Generated by OpenCVE AI on May 9, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the parse‑ini package to the latest released version that fixes the prototype pollution issue.
  • If upgrading is not immediately possible, isolate and sanitize any data passed to parse‑ini so that only trusted, well‑formed input is processed.
  • Review application code to ensure that any input from external sources is validated or filtered before being passed to parse‑ini.
  • Verify that the environment does not allow prototype modifications through any other library interactions, and consider enabling strict mode or other runtime protection mechanisms.
  • Consider design changes that eliminate the need to parse .ini files in exposed interfaces, or replace parse‑ini with a maintained alternative.

Generated by OpenCVE AI on May 9, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x72j-hv9f-qqh4 parse-ini is vulnerable to Prototype Pollution in index.js()
History

Sat, 09 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Prototype Pollution Vulnerability in parse-ini v1.0.6

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse-ini
Parse-ini parse-ini
Vendors & Products Parse-ini
Parse-ini parse-ini

Thu, 07 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Prototype Pollution Vulnerability in parse-ini v1.0.6
Weaknesses CWE-1321

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
References

Subscriptions

Parse-ini Parse-ini
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T22:30:22.892Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63703

cve-icon Vulnrichment

Updated: 2026-05-08T22:30:14.624Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T16:16:17.590

Modified: 2026-05-08T23:16:33.447

Link: CVE-2025-63703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T01:00:14Z

Weaknesses