Prototype Pollution Vulnerability in parse-ini by npm
CVE-2025-63703

9.8CRITICAL

Key Information:

Vendor: npm
Status: parse-ini
Vendor: CVE Published:; 7 May 2026

What is CVE-2025-63703?

The npm package parse-ini version 1.0.6 is susceptible to a prototype pollution vulnerability found in its index.js file. This vulnerability can allow an attacker to manipulate and inject properties into the object's prototype, potentially leading to unexpected behavior in applications that utilize the affected package. Developers relying on parse-ini for parsing configuration files should review their implementations and consider upgrading to a secure version to mitigate the risks associated with this vulnerability.

References

https://www.npmjs.com/package/parse-ini?activeTab=code

https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Oct 27, 2025

CVE-2025-63703 Data

JSON