Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2025-63703: parse-ini npm package allows attackers to modify JavaScript objects
CVE-2025-63703
GHSA-x72j-hv9f-qqh4
Summary
The parse-ini npm package has a security issue that allows attackers to manipulate JavaScript objects, potentially leading to unexpected behavior in applications that use this package. This could allow attackers to gain unauthorized access to sensitive data. To fix this, update the parse-ini package to a non-vulnerable version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | – | parse-ini | 1.0.6 |
Original title
parse-ini is vulnerable to Prototype Pollution in index.js()
Original description
npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
Vulnerability type
CWE-1321
Prototype Pollution
Published: 7 May 2026 · Updated: 23 May 2026 · First seen: 7 May 2026