Prototype Pollution
CVE-2026-54335
LOW
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
DescriptionGitHub Advisory
Impact
The _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__ (or constructor / prototype) key, that key is returned as an own-enumerable property. The recursive merge then resolves target['__proto__'] to Object.prototype and writes the attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process.
Scope of real-world risk is limited. No first-party Feathers package routes input - trusted or untrusted - through commons._.merge. The @feathersjs/authentication package, which does merge request-influenced data, uses lodash/merge (prototype-pollution-safe since 4.17.12), not this utility. Exploitation therefore requires a downstream plugin or application to pass JSON-parsed, attacker-controlled input directly through the exported _.merge.
Patches
Fixed in @feathersjs/commons@5.0.45. The fix skips __proto__, constructor, and prototype keys during iteration - the standard remediation used by lodash and others.
Workarounds
Avoid passing JSON-parsed untrusted input through commons._.merge. Freezing Object.prototype or validating/sanitizing keys upstream also mitigates.
Credit
Reported responsibly by Andrew Ridings (@ridingsa).
Analysis
The _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__ (or constructor / prototype) key, that key is returned as an own-enumerable property. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-28xv-ph75-77wh