AikidoSec · sampion88 · Feb 24, 2025 · Feb 25, 2025
diff --git a/vulnerabilities/AIKIDO-2025-10109.json b/vulnerabilities/AIKIDO-2025-10109.json
@@ -5,7 +5,7 @@
   ],
   "vulnerable_ranges": [
     [
-      "5.0.0",
+      "4.0.0",
       "5.1.1"
     ]
   ],
@@ -14,7 +14,7 @@
   ],
   "tldr": "The latest version of `xregexp` (5.1.1) is vulnerable to prototype pollution through the `XRegExp.cache` function. An attacker can supply a crafted payload with a pattern and flag to manipulate properties within the global prototype chain. This vulnerability can lead to more severe injection-based attacks, depending on how the library is used. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., `exec`, `eval`), an attacker could execute arbitrary commands within the application's context.",
   "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
-  "how_to_fix": "Upgrade the `xregexp` library to the patch version.",
+  "how_to_fix": "Upgrade the `xregexp` library to the latest patched version. If you're updating from a version older than `5.0.0`, be aware of breaking changes in `5.x`:\n  Namespacing is now enabled by default, Named capture groups are handled differently and Support for Unicode blocks has been removed.  \nCheck the `xregexp` changelog for more details before upgrading.",
   "reporter": "",
   "vulnerable_to": "Prototype Pollution",
   "related_cve_id": "",