Skip to main content

Ts Deepmerge

1 CVEs product

Monthly

CVE-2026-12644 npm MEDIUM PATCH This Month

Uncaught Exception in ts-deepmerge before 8.0.0 allows unauthenticated remote attackers to crash Node.js applications by supplying JSON payloads that contain Object.prototype method names (e.g., toString, valueOf) mapped to non-function values, causing any subsequent string-context operation on the merged object to throw a TypeError. The vulnerability is distinct from classic prototype pollution - it does not escalate privileges or leak data, but reliably corrupts the merged object's callable methods, making DoS trivially achievable against any network-exposed merge endpoint that accepts untrusted input. A public proof-of-concept exists (GitHub Gist, Snyk SNYK-JS-TSDEEPMERGE-17339141), and the CVSS 4.0 E:P supplemental metric confirms exploit code is available; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Denial Of Service Ts Deepmerge
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uncaught Exception in ts-deepmerge before 8.0.0 allows unauthenticated remote attackers to crash Node.js applications by supplying JSON payloads that contain Object.prototype method names (e.g., toString, valueOf) mapped to non-function values, causing any subsequent string-context operation on the merged object to throw a TypeError. The vulnerability is distinct from classic prototype pollution - it does not escalate privileges or leak data, but reliably corrupts the merged object's callable methods, making DoS trivially achievable against any network-exposed merge endpoint that accepts untrusted input. A public proof-of-concept exists (GitHub Gist, Snyk SNYK-JS-TSDEEPMERGE-17339141), and the CVSS 4.0 E:P supplemental metric confirms exploit code is available; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Denial Of Service Ts Deepmerge
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy