Impact
Style Dictionary’s convertTokenData utility is vulnerable to prototype pollution, a weakness that permits an attacker to inject arbitrary key/value pairs into JavaScript object prototypes. The flaw, identified as CWE‑1321, can modify the prototype chain of objects processed by the utility, potentially enabling the attacker to overwrite properties or cause unintended code execution during subsequent operations. The vulnerability becomes significant when a Node.js server application incorporates Style Dictionary to process token data that may originate from external or untrusted sources.
Affected Systems
Versions of Style Dictionary from 4.3.0 up to and including 5.4.3 are affected. The library, a Node.js build system for cross‑platform styles, is typically integrated into server‑side workflows or build pipelines, but may also be employed in front‑end build processes. The impact level varies: high when the library runs on a server, moderate when embedded in a web application, and lower when token data is carefully controlled by the user and limited to repository or workflow access.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation is currently not widespread. Nonetheless, the flaw can be exploited by supplying malicious token files or by manipulating pipelines that allow external modification of token objects, thereby affecting the runtime behavior of a Node.js context.
OpenCVE Enrichment