CISA alerts on graphql-upload-minimal prototype pollution

Version 1.6.1 of the Flash Payments package graphql-upload-minimal contains a prototype pollution vulnerability that can alter global JavaScript prototypes and affect the entire Node.js process.

CVE-2025-65587 identifies the issue in graphql-upload-minimal version 1.6.1; the vulnerability is located in the processRequest() function, which parses multipart/form-data and maps uploaded files into the GraphQL operations object. That function processes a user-supplied map parameter that determines where uploaded files are placed in the operations.variables object, and user-supplied property paths are not validated before being resolved and written into the target object, permitting special JavaScript property names such as __proto__, __constructor__, and prototype to traverse the prototype chain and modify Object.prototype.

Because Object.prototype is the foundational prototype for most JavaScript objects, modifying it can affect the behavior of all Node.js processes. The impact extends across the entire Node.js process and persists until the service is restarted, and it can potentially result in logic corruption, Denial of Service (DoS), or unintended privilege escalation.

Users should upgrade to graphql-upload-minimal version 1.6.3 or later, available at https://github.com/flash-oss/graphql-upload-minimal/tree/master. The patched release introduces safeguards to prevent unsafe prototype-chain property assignments during multipart file upload processing.

One or more vendors are listed for this advisory; consult the full report for additional vendor details. The advisory credits Maor Caplan of Alma Security for reporting the vulnerability and notes the document was written by Michael Bragg; further information and the patch comparison are available at https://github.com/flash-oss/graphql-upload-minimal/compare/v1.6.1...flash-oss:graphql-upload-minimal:v1.6.3.