Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input.
AnalysisAI
Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. EPSS data unavailable; not listed in CISA KEV. Publicly available exploit code exists (GitHub advisory GHSA-x7q7-fchv-8h2j). Vendor-released patch available in version 1.0.3.
Technical ContextAI
The @ranfdev/deepobj library is an npm package for deep object manipulation in JavaScript/Node.js applications (pkg:npm/@ranfdev_deepobj). The vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). When the library processes property paths without adequate sanitization, attackers can inject special JavaScript property names ('__proto__', 'constructor', 'prototype') to pollute the Object prototype chain. This is a classic JavaScript prototype pollution vulnerability where operations like object merging, deep assignment, or path-based property setting fail to validate or block reserved prototype-modifying keywords. The impact manifests as unauthorized modification of base object behavior affecting all object instances in the JavaScript runtime.
RemediationAI
Upgrade @ranfdev/deepobj to version 1.0.3 or later, which contains the vendor-released patch per GitHub advisory GHSA-x7q7-fchv-8h2j (https://github.com/ranfdev/deepobj/security/advisories/GHSA-x7q7-fchv-8h2j). Update package.json to specify "@ranfdev/deepobj": "^1.0.3" and run npm update or yarn upgrade. If immediate upgrade is not feasible, implement input validation to reject property paths containing the literal strings '__proto__', 'constructor', or 'prototype' before passing them to deepobj functions - note this workaround may break legitimate use cases requiring these property names. Alternatively, refactor code to avoid exposing property path parameters to any user-controlled input sources (HTTP requests, environment variables, external configuration files). Review application code to identify all call sites where user input flows into deepobj's property manipulation methods and apply allowlist-based path validation.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32976
GHSA-x7q7-fchv-8h2j