Skip to main content

@ranfdev/deepobj CVE-2026-46509

| EUVDEUVD-2026-32976 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-14 https://github.com/ranfdev/deepobj GHSA-x7q7-fchv-8h2j
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:06 vuln.today
Analysis Generated
May 14, 2026 - 22:06 vuln.today
CVE Published
May 14, 2026 - 20:55 nvd
HIGH 8.2

DescriptionGitHub Advisory

Impact

Prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input.

AnalysisAI

Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. EPSS data unavailable; not listed in CISA KEV. Publicly available exploit code exists (GitHub advisory GHSA-x7q7-fchv-8h2j). Vendor-released patch available in version 1.0.3.

Technical ContextAI

The @ranfdev/deepobj library is an npm package for deep object manipulation in JavaScript/Node.js applications (pkg:npm/@ranfdev_deepobj). The vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). When the library processes property paths without adequate sanitization, attackers can inject special JavaScript property names ('__proto__', 'constructor', 'prototype') to pollute the Object prototype chain. This is a classic JavaScript prototype pollution vulnerability where operations like object merging, deep assignment, or path-based property setting fail to validate or block reserved prototype-modifying keywords. The impact manifests as unauthorized modification of base object behavior affecting all object instances in the JavaScript runtime.

RemediationAI

Upgrade @ranfdev/deepobj to version 1.0.3 or later, which contains the vendor-released patch per GitHub advisory GHSA-x7q7-fchv-8h2j (https://github.com/ranfdev/deepobj/security/advisories/GHSA-x7q7-fchv-8h2j). Update package.json to specify "@ranfdev/deepobj": "^1.0.3" and run npm update or yarn upgrade. If immediate upgrade is not feasible, implement input validation to reject property paths containing the literal strings '__proto__', 'constructor', or 'prototype' before passing them to deepobj functions - note this workaround may break legitimate use cases requiring these property names. Alternatively, refactor code to avoid exposing property path parameters to any user-controlled input sources (HTTP requests, environment variables, external configuration files). Review application code to identify all call sites where user input flows into deepobj's property manipulation methods and apply allowlist-based path validation.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-46509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy