ts-deepmerge: Prototype Method Override leads to DoS

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

NPM: ts-deepmerge: Prototype Method Override leads to DoS

NPM: ts-deepmerge: Prototype Method Override leads to DoS vulnerability discovered by ? in WordPress Npm ts-deepmerge versions 8.0.0...

CVE-2026-12644

The CVE affects ts-deepmerge before version 8.0.0. The vulnerability stems from improper handling of built-in Object.prototype methods (e.g., toString, valueOf) during merging. If user-controlled input supplies these keys with non-function values, the merged object can break and throw a TypeError...

CVE-2026-12644

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...

PT-2026-50839

Name of the Vulnerable Software and Affected Versions ts-deepmerge versions prior to 8.0.0 Description An uncaught exception occurs due to improper handling of built-in Object.prototype methods, such as toString and valueOf. When user-controlled input contains these keys with non-function values,...

Uncaught Exception

Overview ts-deepmerge is an a deep merge function that automatically infers the return type based on your input, without mutating the source objects. Affected versions of this package are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as...

EUVD-2022-6507

Malicious code in bioql PyPI...

Prototype Pollution

ts-deepmerge is vulnerable to pollution prototype. The vulnerability exists because of missing sanitization of the merge parameters in 'src/index.test.ts', allowing an attacker to inject malicious characteristics to add new values to a javascript application object prototype,overwriting or...

@alloyify/anvil (>=1.1.2 <=1.1.4), @alloyify/devkit (>=1.1.2 <=1.1.4) +68 more potentially affected by CVE-2022-25907 via ts-deepmerge (>=1.0.5 <=2.0.1)

ts-deepmerge NPM version =1.0.5, =1.1.2, =1.1.2, =1.1.2, =1.1.2, =0.0.2, =0.2.0, =0.1.1, =2.4.6-alpha.3, =1.1.0, =0.1.0, =0.12.2, =0.0.1, =1.0.0-beta.1, =1.0.6 and more Source cves: CVE-2022-25907 Source advisory: OSV:GHSA-7QQQ-GH2F-WQ76...

GHSA-7QQQ-GH2F-WQ76 ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function...

ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907 Prototype Pollution

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

CVE-2022-25907 affects the npm package ts-deepmerge prior to 2.0.2 and is caused by missing sanitization in the merge function, enabling prototype pollution. The vulnerability is described across multiple sources as allowing modification/ contamination of Object.prototype, with potential impact o...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

PT-2022-17598 · Unknown · Ts-Deepmerge

Name of the Vulnerable Software and Affected Versions: ts-deepmerge versions prior to 2.0.2 Description: The issue is related to Prototype Pollution due to missing sanitization of the merge function. This allows for potential manipulation of the prototype, leading to various security issues...

@alloyify/anvil (>=1.1.2 <=1.1.4), @alloyify/devkit (>=1.1.2 <=1.1.4) +12 more potentially affected by CVE-2022-25907 via ts-deepmerge (=2.0.1)

ts-deepmerge NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on ts-deepmerge and may be impacted: - @alloyify/anvil =1.1.2, =1.1.2, =1.1.2, =1.1.2, =0.0.0-canary-20220330074435, =0.0.0-canary-20220330074435, =5.0.24, =11.1.27, =4.0.22,...