@nevware21/ts-utils CVE-2026-46681
HIGHLifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on @nevware21/ts-utils (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.14.0.
DescriptionCVE.org
Summary
The _copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (__proto__, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.
Details
In _copyProps() (copy.ts lines 186-191), the code iterates all enumerable properties including inherited ones and dangerous keys like __proto__. Any object with a __proto__ key (e.g., from untrusted JSON input) will overwrite the target's prototype.
PoC
const malicious = JSON.parse('{"__proto__": {"polluted": true}}');
objDeepCopy(malicious);
console.log({}.polluted); // trueSuggested Fix
Add objHasOwnProperty check and filter __proto__, constructor, prototype keys.
AnalysisAI
Prototype pollution in @nevware21/ts-utils versions <= 0.13.0 allows attackers to corrupt the global Object prototype by passing crafted JSON containing a __proto__ key to objDeepCopy or objCopyProps. The flaw resides in the _copyProps helper, which iterates source properties with for...in without hasOwnProperty filtering and does not block dangerous keys. Publicly available exploit code exists via the vendor's GHSA proof-of-concept, though no public exploit identified at time of analysis beyond the disclosure PoC, and no KEV listing.
Technical ContextAI
@nevware21/ts-utils is an npm-published TypeScript utility library providing helpers such as objDeepCopy and objCopyProps for cloning and merging objects. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, a.k.a. Prototype Pollution): in lib/src/object/copy.ts the _copyProps function (lines 186-191) walks enumerable properties via for...in, which traverses inherited keys as well as the special __proto__ accessor, and assigns them onto the destination object. When the source is parsed from untrusted JSON, JSON.parse produces an own __proto__ data property whose assignment mutates Object.prototype, propagating the pollutant to every object in the runtime. The CPE identifier pkg:npm/@nevware21_ts-utils confirms the affected component is the npm package.
RemediationAI
Vendor-released patch: 0.14.0 - upgrade @nevware21/ts-utils to >= 0.14.0 via npm/yarn/pnpm and rebuild any applications or transitive dependents that bundle it, per the advisory at https://github.com/nevware21/ts-utils/security/advisories/GHSA-x7j8-49r8-mr43. If immediate upgrade is not possible, avoid passing untrusted JSON or any object derived from external input directly to objDeepCopy or objCopyProps, and sanitize incoming payloads by stripping __proto__, constructor, and prototype keys before deserialization or before invoking these helpers (trade-off: requires audit of every call site and may miss indirect callers in transitive dependencies). As a runtime defense, applications can freeze Object.prototype with Object.freeze(Object.prototype) at startup, though this can break libraries that legitimately extend prototypes and is not a substitute for patching.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x7j8-49r8-mr43