ts-deepmerge: Prototype Method Override leads to DoS

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

NPM: ts-deepmerge: Prototype Method Override leads to DoS

NPM: ts-deepmerge: Prototype Method Override leads to DoS vulnerability discovered by ? in WordPress Npm ts-deepmerge versions 8.0.0...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

CVE-2026-12644

The CVE affects ts-deepmerge before version 8.0.0. The vulnerability stems from improper handling of built-in Object.prototype methods (e.g., toString, valueOf) during merging. If user-controlled input supplies these keys with non-function values, the merged object can break and throw a TypeError...

EUVD-2026-37991

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

PT-2026-50839

Name of the Vulnerable Software and Affected Versions ts-deepmerge versions prior to 8.0.0 Description An uncaught exception occurs due to improper handling of built-in Object.prototype methods, such as toString and valueOf. When user-controlled input contains these keys with non-function values,...

Uncaught Exception

Overview ts-deepmerge is an a deep merge function that automatically infers the return type based on your input, without mutating the source objects. Affected versions of this package are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as...

@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function

Summary @theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge function. An attacker who controls the source object can inject proto keys that mutate Object.prototype, affecting all objects in the Node.js runtime. Details The deepMerge function...

EUVD-2021-2604

Malware in sbrugna...

EUVD-2021-1894

Malware in sbrugna...

EUVD-2021-2598

Malware in sbrugna...

EUVD-2021-1150

Malware in sbrugna...

EUVD-2022-6507

Malicious code in bioql PyPI...

@zag-js/core prototype pollution

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

CVE-2022-24802

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. This issue has been patched in version 4.0.2. There are no known workarounds for this issue...

Zag 安全漏洞

Zag is a framework open-sourced by Chakra. A security vulnerability exists in Zag version v0.50.0, which stems from the lib.deepMerge function containing a prototype contamination vulnerability...

PT-2025-5759 · Unknown · @Stryker-Mutator/Util

Name of the Vulnerable Software and Affected Versions: @stryker-mutator/util version 8.6.0 Description: A prototype pollution in the deepMerge function allows attackers to cause a Denial of Service DoS via supplying a crafted payload. Recommendations: For @stryker-mutator/util version 8.6.0,...

StrykerJS 安全漏洞

StrykerJS is a JavaScript library open-sourced by Stryker Mutator. A security vulnerability exists in StrykerJS version v8.6.0, which stems from the deepMerge function containing a prototype contamination vulnerability...