Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-25047: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in sharpred deepHas

0
Critical
VulnerabilityCVE-2026-25047cvecve-2026-25047cwe-1321
Published: Thu Jan 29 2026 (01/29/2026, 21:39:48 UTC)
Source: CVE Database V5
Vendor/Project: sharpred
Product: deepHas

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

AI-Powered Analysis

AILast updated: 02/06/2026, 08:42:12 UTC

Technical Analysis

CVE-2026-25047 identifies a prototype pollution vulnerability in the deepHas npm package, specifically versions prior to 1.0.8. deepHas is a utility that tests for the existence of nested keys within JavaScript objects. The vulnerability stems from improper control over the modification of object prototype attributes (CWE-1321), allowing attackers to inject or alter properties on the global Object prototype. This can lead to unexpected behavior in applications, including bypassing security controls, escalating privileges, or causing denial of service through corrupted object states. The vulnerability does not require authentication or user interaction, making it highly exploitable in environments where the vulnerable package is used. The CVSS 4.0 score of 9.4 reflects a critical severity, with local attack vector but low complexity and no privileges required. The impact covers confidentiality, integrity, and availability, with a high scope as the pollution affects global objects. Although no exploits are currently reported in the wild, the vulnerability's nature and severity make it a significant threat. The fix was introduced in version 1.0.8 of deepHas, which properly controls prototype modifications to prevent pollution. Organizations using this package, directly or transitively, should prioritize upgrading and auditing their dependencies to mitigate risk.

Potential Impact

For European organizations, the impact of CVE-2026-25047 can be substantial. Many enterprises rely on JavaScript and Node.js ecosystems, where npm packages like deepHas are common dependencies. Prototype pollution can lead to severe consequences including arbitrary code execution, privilege escalation, data corruption, and denial of service. This can compromise sensitive data confidentiality, undermine system integrity, and disrupt availability of critical applications. Industries such as finance, healthcare, and government, which handle sensitive personal and operational data, are particularly vulnerable. The attack does not require user interaction or authentication, increasing the risk of automated exploitation in internal or development environments. Additionally, supply chain risks arise if vulnerable packages are embedded in widely used software products or services. The potential for cascading effects through polluted prototypes can affect multiple components and services, amplifying the damage. Therefore, European organizations must treat this vulnerability as a high priority to prevent exploitation and maintain trust in their software infrastructure.

Mitigation Recommendations

1. Immediately upgrade the deepHas package to version 1.0.8 or later in all projects and dependencies. 2. Conduct a thorough dependency audit using tools like npm audit, Snyk, or OWASP Dependency-Check to identify all instances of deepHas usage, including transitive dependencies. 3. Implement strict input validation and sanitization to prevent untrusted data from influencing object keys or prototype chains. 4. Employ runtime protection mechanisms such as object freezing (Object.freeze) or using libraries that prevent prototype pollution. 5. Monitor application logs and behavior for anomalies that could indicate prototype pollution attempts. 6. Educate development teams about prototype pollution risks and secure coding practices related to object manipulation in JavaScript. 7. Integrate automated security testing in CI/CD pipelines to detect vulnerable dependencies early. 8. Consider isolating critical application components to limit the impact scope if pollution occurs. 9. Stay informed about updates or advisories related to deepHas and related packages. 10. For organizations providing software to clients, communicate the vulnerability and remediation steps transparently to maintain trust.

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-01-28T14:50:47.886Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 697bd7ddac06320222bd31af

Added to database: 1/29/2026, 9:57:49 PM

Last enriched: 2/6/2026, 8:42:12 AM

Last updated: 2/7/2026, 8:29:10 AM

Views: 36

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats