GHSA-mhwj-73qx-jqxm

Suggest an improvement
Source
https://github.com/advisories/GHSA-mhwj-73qx-jqxm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mhwj-73qx-jqxm/GHSA-mhwj-73qx-jqxm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mhwj-73qx-jqxm
Published
2026-05-11T16:10:12Z
Modified
2026-05-11T16:17:52.734108Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function
Details

Summary

@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject __proto__ keys that mutate Object.prototype, affecting all objects in the Node.js runtime.

Details

The deepMerge() function recursively merges two objects without sanitizing reserved property keys (__proto__, constructor, prototype). When a source object contains a __proto__ key, its value is assigned to target.__proto__, which JavaScript engines interpret as a write to Object.prototype.

Proof of Concept

const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{"__proto__":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is polluted

Impact

Any application using deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.

Remediation

Upgrade to @theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:

const BLOCKED = new Set(['__proto__', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;

References

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:10:12Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}
References

Affected packages

npm / @theecryptochad/merge-guard

Package

Name
@theecryptochad/merge-guard
View open source insights on deps.dev
Purl
pkg:npm/%40theecryptochad/merge-guard

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mhwj-73qx-jqxm/GHSA-mhwj-73qx-jqxm.json"