CVE-2025-54803 is a high-severity security vulnerability in js-toml (npm), affecting versions < 1.0.2. It is fixed in 1.0.2.
A prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input. Impact The js-toml library is vulnerable to Prototype Pollution. When parsing a TOML string containing the specially crafted key proto, an attacker can add or modify properties on the global Object.prototype. While the js-toml library itself does not contain known vulnerable "gadgets", this can lead to severe security vulnerabilities in applications that use the library. For example, if the consuming application checks for the existence of a property for authorization purposes (e.g., user.isAdmin), this vulnerability could be escalated to an authentication bypass. Other potential impacts in the application include Denial of Service (DoS) or, in some cases, Remote Code Execution (RCE), depending on the application's logic and dependencies. Any application that uses an affected version of js-toml to parse untrusted input is vulnerable. The severity of the impact, ranging from unexpected behavior to a full security compromise, is dependent on the application's specific code and its handling of object properties. Patches This vulnerability has been patched in version 1.0.2. All users are advised to upgrade to version 1.0.2 or later to mitigate this issue. Users of all prior versions are affected. Workarounds If you are unable to upgrade to a patched version, the only mitigation is to ensure that any TOML input being passed to the js-toml library is from a fully trusted source and has been validated to not contain malicious keys. References This vulnerability was discovered and responsibly disclosed by siunam. The Proof-of-Concept can be found at this Gist: https://gist.github.com/siunam321/f3dc4d21a5a932c67b6c11d0026f5afc For more information on Prototype Pollution, see PortSwigger's explanation: https://portswigger.net/web-security/prototype-pollution
npm
js-toml (< 1.0.2)js-toml → 1.0.2 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2025-54803 is reachable in your applications. Explore open-source security for your team.
See if CVE-2025-54803 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2025-54803 in your environment →Upgrade js-toml to 1.0.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-54803 is a high-severity security vulnerability in js-toml (npm), affecting versions < 1.0.2. It is fixed in 1.0.2.
js-toml (npm) versions < 1.0.2 is affected.
Yes. CVE-2025-54803 is fixed in 1.0.2. Upgrade to this version or later.
Whether CVE-2025-54803 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade js-toml to 1.0.2 or later.