Ts Deepmerge
Monthly
Uncaught Exception in ts-deepmerge before 8.0.0 allows unauthenticated remote attackers to crash Node.js applications by supplying JSON payloads that contain Object.prototype method names (e.g., toString, valueOf) mapped to non-function values, causing any subsequent string-context operation on the merged object to throw a TypeError. The vulnerability is distinct from classic prototype pollution - it does not escalate privileges or leak data, but reliably corrupts the merged object's callable methods, making DoS trivially achievable against any network-exposed merge endpoint that accepts untrusted input. A public proof-of-concept exists (GitHub Gist, Snyk SNYK-JS-TSDEEPMERGE-17339141), and the CVSS 4.0 E:P supplemental metric confirms exploit code is available; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Uncaught Exception in ts-deepmerge before 8.0.0 allows unauthenticated remote attackers to crash Node.js applications by supplying JSON payloads that contain Object.prototype method names (e.g., toString, valueOf) mapped to non-function values, causing any subsequent string-context operation on the merged object to throw a TypeError. The vulnerability is distinct from classic prototype pollution - it does not escalate privileges or leak data, but reliably corrupts the merged object's callable methods, making DoS trivially achievable against any network-exposed merge endpoint that accepts untrusted input. A public proof-of-concept exists (GitHub Gist, Snyk SNYK-JS-TSDEEPMERGE-17339141), and the CVSS 4.0 E:P supplemental metric confirms exploit code is available; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.