What is the CVSS score of CVE-2026-25047?

CVE-2026-25047 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-25047?

A critical vulnerability in Deephas (versions up to 1.0.7) allows attackers to manipulate application objects through prototype pollution, potentially enabling unauthorized access, data theft, or…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25047?

Yes, a public proof-of-concept exploit is available for CVE-2026-25047. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25047?

Within 24 hours: Identify all systems running Deephas versions 1.0.7 or earlier and isolate them from production if possible; begin patch testing in a non-production environment. Within 7 days: Deploy patched Deephas version to all production systems following change management procedures; verify successful patching and test application functionality. Within 30 days: Complete audit of all Deephas instances across the organization; review logs for signs of exploitation between vulnerability disclosure and patch deployment.

Node.js CVE-2026-25047

HIGH

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-01-29 security-advisories@github.com

GHSA-2733-6c58-pf27

Node.js Deephas

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 25, 2026 - 15:13 vuln.today

Public exploit code

Patch released

Feb 25, 2026 - 15:13 nvd

Patch available

CVE Published

Jan 29, 2026 - 22:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

AnalysisAI

Deephas versions up to 1.0.7 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 8.8).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious nested object key

Exploit

Call deepHas with prototype pollution payload

Execution

Pollute Object.prototype properties

Impact

Execute arbitrary code via corrupted global object

Access

Craft malicious nested object key

Exploit

Call deepHas with prototype pollution payload

Execution

Pollute Object.prototype properties

Impact

Execute arbitrary code via corrupted global object

Vulnerability AssessmentAI

Exploitation	deepHas npm package version 1.0.7 installed; local attacker with limited user privileges can execute code in Node.js application environment using the vulnerable deepHas function with attacker-controlled input. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to modify global object behavior.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Deephas versions 1.0.7 or earlier and isolate them from production if possible; begin patch testing in a non-production environment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

CVE-2026-25047 vulnerability details – vuln.today

Back

Node.js CVE-2026-25047

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code