{"vulnerability": "GHSA-MHWJ-73QX-JQXM", "sightings": [{"uuid": "0fa990b1-40a0-4503-b1c9-a44472a83bcf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-MHWJ-73QX-JQXM", "type": "seen", "source": "https://gist.github.com/alon710/4af81f21f7f20feffc4a4956d94d4de4", "content": "# GHSA-MHWJ-73QX-JQXM: GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge()\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-11\n> **Full Report:** https://cvereports.com/reports/GHSA-MHWJ-73QX-JQXM\n\n## Summary\nThe `@theecryptochad/merge-guard` JavaScript package version 1.0.0 is vulnerable to Prototype Pollution. The `deepMerge()` function fails to validate input keys during recursive object merging, allowing attackers to inject malicious properties into the global `Object.prototype` via the `__proto__` accessor. This widespread environmental state alteration can lead to Denial of Service, business logic bypass, or Remote Code Execution depending on the presence of susceptible gadget chains in the application.\n\n## TL;DR\nA missing input validation check in the deepMerge() function of @theecryptochad/merge-guard v1.0.0 permits Prototype Pollution. Attackers can supply a crafted JSON payload containing a `__proto__` key to alter the global Object.prototype. The vulnerability is fixed in version 1.0.1 by implementing a restricted key denylist.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1321\n- **Attack Vector**: Network\n- **Estimated CVSS**: 9.8\n- **Impact**: DoS, Logic Bypass, RCE\n- **Exploit Status**: Proof of Concept Available\n- **Vulnerable Component**: deepMerge() function\n\n## Affected Systems\n\n- Node.js server applications utilizing @theecryptochad/merge-guard\n- Client-side web applications bundling @theecryptochad/merge-guard\n- **@theecryptochad/merge-guard**: < 1.0.1 (Fixed in: `1.0.1`)\n\n## Mitigation\n\n- Upgrade `@theecryptochad/merge-guard` to version 1.0.1\n- Implement strict input validation and JSON schema enforcement\n- Run Node.js with the `--disable-proto=delete` flag\n- Freeze the global prototype object using `Object.freeze(Object.prototype)` at startup\n\n**Remediation Steps:**\n1. Audit project dependencies to identify the vulnerable package version.\n2. Update the package manager lockfile to require `@theecryptochad/merge-guard@1.0.1`.\n3. Execute automated tests to ensure the denylist patch does not break existing merge logic.\n4. Deploy the updated application build to production environments.\n\n## References\n\n- [GitHub Security Advisory GHSA-MHWJ-73QX-JQXM](https://github.com/advisories/GHSA-MHWJ-73QX-JQXM)\n- [CWE-1321 Details](https://cwe.mitre.org/data/definitions/1321.html)\n- [@theecryptochad/merge-guard GitHub Repository](https://github.com/TheeCryptoChad/merge-guard)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-MHWJ-73QX-JQXM) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-11T17:40:28.000000Z"}]}