{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25047", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.886Z", "datePublished": "2026-01-29T21:39:48.498Z", "dateUpdated": "2026-02-02T16:35:22.701Z"}, "containers": {"cna": {"title": "deepHas vulnerable to Prototype Pollution via constructor.prototype", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"}, {"name": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465", "tags": ["x_refsource_MISC"], "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"}], "affected": [{"vendor": "sharpred", "product": "deepHas", "versions": [{"version": "< 1.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:39:48.498Z"}, "descriptions": [{"lang": "en", "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."}], "source": {"advisory": "GHSA-2733-6c58-pf27", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T14:48:51.987434Z", "id": "CVE-2026-25047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:35:22.701Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T14:48:51.987434Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:48:56.330Z"}}], "cna": {"title": "deepHas vulnerable to Prototype Pollution via constructor.prototype", "source": {"advisory": "GHSA-2733-6c58-pf27", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sharpred", "product": "deepHas", "versions": [{"status": "affected", "version": "< 1.0.7"}]}], "references": [{"url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27", "name": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465", "name": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:39:48.498Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25047", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:35:22.701Z", "dateReserved": "2026-01-28T14:50:47.886Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T21:39:48.498Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*", "matchCriteriaId": "0D998147-9A29-4864-97BD-88D814F73D54", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."}, {"lang": "es", "value": "deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminaci\u00f3n de prototipos en la versi\u00f3n 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versi\u00f3n 1.0.8."}], "id": "CVE-2026-25047", "lastModified": "2026-02-25T15:13:28.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-29T22:15:55.647", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:39:59.158129+00:00", "value": {"mitigation_remediation": ["Upgrade the sharpred:deepHas package to version 1.0.8 or later", "Audit project dependencies to ensure no other vulnerable versions of the package remain and lock the dependency tree", "If an upgrade is not immediately possible, validate or sanitize all inputs passed to deepHas to prevent prototype manipulation, or eliminate the use of deepHas for untrusted data"], "summary": {"action": "Immediate Patch", "impact": "Prototype Pollution of global prototypes"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the sharpred:deepHas npm package in version 1.0.7, which runs under Node.js. All applications that depend on this package and supply untrusted input to deepHas are impacted until they upgrade to version 1.0.8 or later.", "description_and_impact": "deepHas provides a utility to test the existence of nested object keys and may optionally return that key. In version 1.0.7 a flaw allows an attacker to inject properties onto the global prototype via the constructor.prototype field, which can alter the behavior of all objects in the JavaScript runtime. This weakness is classified as CWE\u20111321 and can lead to modification of global object behavior, potentially affecting confidentiality, integrity, and availability depending on how the library is used (inferred).", "risk_and_exploitability": "The CVSS score is 9.4, indicating critical severity. The EPSS score is reported as less than 1%, suggesting that exploitation probability is low overall, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local code that depends on sharpred:deepHas and processes external data; an attacker can supply crafted input that modifies the prototype (inferred). The risk is significant because any target running the affected library becomes vulnerable to prototype pollution attacks (inferred)."}}}}, "created": "2026-01-30T08:42:45.500854+00:00", "updated": "2026-04-18T18:45:05.756555+00:00", "vendors": ["sharpred", "sharpred$PRODUCT$deephas"]}