GHSA-9v98-6g37-x9g6

Suggest an improvement
Source
https://github.com/advisories/GHSA-9v98-6g37-x9g6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9v98-6g37-x9g6/GHSA-9v98-6g37-x9g6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9v98-6g37-x9g6
Aliases
  • CVE-2026-49252
Published
2026-06-26T21:03:59Z
Modified
2026-06-26T21:15:08.266424829Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
deepstream is vulnerable to prototype pollution
Details

Impact

Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.

Patches

Yes, upgrade to v10.0.5

Workarounds

Filter out all messages containing the path __proto__, constructor, prototype, before they reach the server's message pipeline

Database specific 
{
    "nvd_published_at": "2026-06-18T21:16:29Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-06-26T21:03:59Z"
}
References

Affected packages

npm / @deepstream/server

Package

Name
@deepstream/server
View open source insights on deps.dev
Purl
pkg:npm/%40deepstream%2Fserver

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9v98-6g37-x9g6/GHSA-9v98-6g37-x9g6.json"