GHSA-MHWJ-73QX-JQXM: GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via …

1 / 2

GHSA-MHWJ-73QX-JQXM: GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge()

DEV Community·CVE Reports·21 days ago

#k9pgdbEF

#exploit #security #cve #cybersecurity #prototype #merge

Reading 0:00

15s threshold

GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge() Vulnerability ID: GHSA-MHWJ-73QX-JQXM CVSS Score: 9.8 Published: 2026-05-11 The @theecryptochad/merge-guard JavaScript package version 1.0.0 is vulnerable to Prototype Pollution. The deepMerge() function fails to validate input keys during recursive object merging, allowing attackers to inject malicious properties into the global Object.prototype via the __proto__ accessor. This widespread environmental state alteration can lead to Denial of Service, business logic bypass, or Remote Code Execution depending on the presence of susceptible gadget chains in the application. TL;DR A missing input validation check in the deepMerge() function of @theecryptochad/merge-guard v1.0.0 permits Prototype Pollution. Attackers can supply a crafted JSON payload containing a __proto__ key to alter the global Object.prototype. The vulnerability is fixed in version 1.0.1 by implementing a restricted key denylist.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-MHWJ-73QX-JQXM: GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge()