Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-25047: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in sharpred deepHas

0
Critical
VulnerabilityCVE-2026-25047cvecve-2026-25047cwe-1321
Published: Thu Jan 29 2026 (01/29/2026, 21:39:48 UTC)
Source: CVE Database V5
Vendor/Project: sharpred
Product: deepHas

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

AI-Powered Analysis

AILast updated: 01/29/2026, 22:12:20 UTC

Technical Analysis

CVE-2026-25047 is a prototype pollution vulnerability classified under CWE-1321, found in the deepHas npm package maintained by sharpred. deepHas is a utility that tests for the existence of nested object keys in JavaScript objects. In versions prior to 1.0.8, an attacker can exploit improper handling of object prototype attributes to inject or modify properties on the global Object prototype. This manipulation can lead to unexpected behavior across the application, as many JavaScript operations rely on prototype inheritance. The vulnerability does not require any privileges or user interaction, making it highly accessible to remote attackers. The CVSS 4.0 score of 9.4 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability, and low attack complexity. Although no public exploits have been reported yet, the vulnerability's nature means it could be leveraged for privilege escalation, data tampering, or denial of service by corrupting application logic or security controls. The issue was addressed in version 1.0.8 of deepHas, which properly controls prototype modifications to prevent pollution attacks.

Potential Impact

For European organizations, the impact of this vulnerability can be severe, especially for those relying on Node.js applications that incorporate the deepHas package or its dependencies. Prototype pollution can lead to widespread application instability, unauthorized data access, or privilege escalation, potentially compromising sensitive information or disrupting critical services. Industries such as finance, healthcare, and government, which handle sensitive data and require high availability, are particularly at risk. The vulnerability could also be exploited to bypass security controls or inject malicious code, increasing the risk of further compromise. Given the interconnected nature of modern software supply chains, even organizations not directly using deepHas might be indirectly affected through transitive dependencies. The lack of required authentication and user interaction further increases the threat surface, enabling attackers to exploit vulnerable systems remotely with relative ease.

Mitigation Recommendations

Immediate mitigation involves upgrading all instances of the deepHas package to version 1.0.8 or later, where the vulnerability is fixed. Organizations should perform a thorough dependency audit using tools like npm audit or Snyk to identify and remediate vulnerable versions in their software supply chain, including transitive dependencies. Implement runtime protections such as input validation and sandboxing to limit the impact of prototype pollution. Employ static and dynamic code analysis to detect unsafe object manipulations. Monitor application logs and behavior for anomalies indicative of prototype pollution exploitation, such as unexpected property changes or crashes. Educate development teams on secure coding practices related to prototype handling in JavaScript. Finally, integrate vulnerability management processes that prioritize patching of critical dependencies and maintain up-to-date software inventories.

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-01-28T14:50:47.886Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 697bd7ddac06320222bd31af

Added to database: 1/29/2026, 9:57:49 PM

Last enriched: 1/29/2026, 10:12:20 PM

Last updated: 2/5/2026, 4:57:25 PM

Views: 35

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats