GHSA-MHWJ-73QX-JQXM

Vulnerability from github – Published: 2026-05-11 16:10 – Updated: 2026-05-11 16:10
VLAI?
Summary
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function
Details

Summary

@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject __proto__ keys that mutate Object.prototype, affecting all objects in the Node.js runtime.

Details

The deepMerge() function recursively merges two objects without sanitizing reserved property keys (__proto__, constructor, prototype). When a source object contains a __proto__ key, its value is assigned to target.__proto__, which JavaScript engines interpret as a write to Object.prototype.

Proof of Concept

const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{"__proto__":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is polluted

Impact

Any application using deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.

Remediation

Upgrade to @theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:

const BLOCKED = new Set(['__proto__', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;

References

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@theecryptochad/merge-guard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:10:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function. An attacker who controls the source object can inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime.\n\n## Details\n\nThe `deepMerge()` function recursively merges two objects without sanitizing reserved property keys (`__proto__`, `constructor`, `prototype`). When a source object contains a `__proto__` key, its value is assigned to `target.__proto__`, which JavaScript engines interpret as a write to `Object.prototype`.\n\n## Proof of Concept\n\n```js\nconst { deepMerge } = require(\u0027@theecryptochad/merge-guard\u0027);\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"isAdmin\":true}}\u0027);\ndeepMerge({}, payload);\nconsole.log({}.isAdmin); // true \u2014 Object.prototype is polluted\n```\n\n## Impact\n\nAny application using `deepMerge()` with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto `Object.prototype`, enabling privilege escalation, application logic bypass, and property injection.\n\n## Remediation\n\nUpgrade to `@theecryptochad/merge-guard \u003e= 1.0.1`, which adds an explicit blocklist:\n\n```js\nconst BLOCKED = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\nif (BLOCKED.has(key)) continue;\n```\n\n## References\n- [CWE-1321: Improper Neutralization of Special Elements in Object Keys](https://cwe.mitre.org/data/definitions/1321.html)\n- [OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype_Pollution)\n- [Fix commit](https://github.com/TheeCryptoChad/merge-guard/releases/tag/v1.0.1)",
  "id": "GHSA-mhwj-73qx-jqxm",
  "modified": "2026-05-11T16:10:12Z",
  "published": "2026-05-11T16:10:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TheeCryptoChad/merge-guard/security/advisories/GHSA-mhwj-73qx-jqxm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TheeCryptoChad/merge-guard/commit/25e4b4f2618578a656ef3cb4946a1b475f736736"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TheeCryptoChad/merge-guard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.