Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Prototype pollution in brikcss merge library versions 1.0 through 1.3.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript Object prototypes via crafted __proto__, constructor.prototype, or prototype arguments, potentially leading to information disclosure, authentication bypass, or denial of service. Publicly available exploit code exists (GitHub PoC from sudo-secure). CVSS 7.3 with network vector and no authentication required. Vendor unresponsive to disclosure attempts.
Technical ContextAI
Brikcss merge is a JavaScript utility library for merging objects and arrays. The vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. This occurs when user-controlled input can modify Object.prototype or constructor.prototype without proper sanitization. In JavaScript, all objects inherit from Object.prototype, so polluting this base prototype affects all objects in the application runtime. Attackers can inject properties like __proto__, constructor.prototype, or prototype with malicious values during merge operations. The affected product is identified via CPE as cpe:2.3:a:brikcss:merge covering all versions through 1.3.0. Prototype pollution is a critical vulnerability class in JavaScript ecosystems because it can bypass security controls, enable privilege escalation, cause denial of service through property injection, or leak sensitive information depending on how the polluted properties are used downstream in application logic.
RemediationAI
No vendor-released patch exists for brikcss merge as of this analysis - the maintainer did not respond to disclosure. Primary mitigation: REMOVE brikcss merge from dependencies and replace with actively maintained alternatives such as lodash.merge (with prototype pollution protections enabled), deepmerge (version 4.3.1+), or @fastify/deepmerge. For applications unable to immediately migrate, implement compensating controls: (1) Input validation - sanitize all user-controlled data before passing to merge operations by explicitly blocking keys matching __proto__, constructor, and prototype using allowlist validation; (2) Object.freeze(Object.prototype) at application startup to prevent prototype modification (note: this may break legitimate code relying on prototype extension); (3) Use Object.create(null) for objects passed to merge functions to avoid prototype chain inheritance; (4) Deploy runtime application self-protection (RASP) or web application firewall (WAF) rules to detect and block payloads containing prototype pollution patterns in JSON/form data. Trade-offs: Object.freeze may cause compatibility issues with older libraries; input sanitization adds processing overhead and must cover all entry points. Refer to the public PoC at github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md to understand attack patterns for detection rule development.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23742
GHSA-3jc6-6r48-v6qf