CVE-2025-3982 – This CVE describes a prototype pollution vulner... (How to Fix)

Q: What is the severity of CVE-2025-3982?

CVE-2025-3982 has a CVSS score of 4.3 (MEDIUM). This CVE describes a prototype pollution vulnerability in Sverchok 1.3.0's Set Property Mk2 Node. Attackers can remotely manipulate object prototypes to potentially modify application behavior or cause denial of service. Users of Sverchok 1.3.0 with the affected node enabled are vulnerable.

📋 TL;DR

This CVE describes a prototype pollution vulnerability in Sverchok 1.3.0's Set Property Mk2 Node. Attackers can remotely manipulate object prototypes to potentially modify application behavior or cause denial of service. Users of Sverchok 1.3.0 with the affected node enabled are vulnerable.

💻 Affected Systems

Products:

nortikin Sverchok

Versions: 1.3.0

Operating Systems: All platforms running Blender with Sverchok

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Set Property Mk2 Node to be used in a Sverchok node tree within Blender.

📦 What is this software?

Sverchok by Nortikin

View all CVEs affecting Sverchok →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through prototype pollution leading to complete system compromise, though this requires specific application context.

🟠

Likely Case

Application instability, denial of service, or unauthorized modification of object properties affecting 3D modeling operations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only minor application errors.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available in the GitHub gist reference. Attack requires network access to Blender's Sverchok interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider removing or disabling the Set Property Mk2 Node until a fix is released.

🔧 Temporary Workarounds

Disable Set Property Mk2 Node

all

Remove or disable the vulnerable node from all Sverchok node trees

Manually edit .blend files to remove SvSetPropNodeMK2 nodes

Network Isolation

all

Restrict network access to Blender instances running Sverchok

Use firewall rules to block external access to Blender's network ports

🧯 If You Can't Patch

Isolate Blender instances with Sverchok from untrusted networks
Implement strict input validation for all Sverchok node parameters

🔍 How to Verify

Check if Vulnerable:

Check if Sverchok 1.3.0 is installed and if any node trees contain Set Property Mk2 nodes

Check Version:

In Blender: Check Sverchok addon version in Preferences > Add-ons

Verify Fix Applied:

Verify Sverchok version is updated beyond 1.3.0 or vulnerable nodes are removed

📡 Detection & Monitoring

Log Indicators:

Unusual network connections to Blender
Sverchok node execution errors
Unexpected object property modifications

Network Indicators:

Traffic to Blender's network interface containing serialized node data

SIEM Query:

Search for process execution of blender.exe with network activity and error logs containing 'Sverchok' or 'SvSetPropNodeMK2'

📊 Metadata

CVE ID: CVE-2025-3982

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-94

EPSS Score: 0.17% exploit probability (38.1th percentile)

Published: April 27, 2025

Last Updated: May 12, 2025

🔗 References

https://gist.github.com/superboy-zjc/a31b8ea7466f91b437598297bf5cbce8 Exploit
https://vuldb.com/?ctiid.306318 Permissions Required,VDB Entry
https://vuldb.com/?id.306318 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.557411 Exploit,Third Party Advisory,VDB Entry
https://gist.github.com/superboy-zjc/a31b8ea7466f91b437598297bf5cbce8 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3982, you might also want to check these: