Prototype Pollution
Description
This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of @cookiex/deep are vulnerable to prototype pollution via __proto__.
Vulnerability
All versions of the npm package @cookiex/deep are vulnerable to prototype pollution [1][2]. The library's deep() function recursively merges objects without proper validation, allowing an attacker to pollute the global Object.prototype using the __proto__ property [3]. This affects versions prior to 0.0.6.
Exploitation
An attacker can exploit this by crafting an object with a __proto__ property containing malicious properties and passing it to the deep() function [2][3]. The recursive merge will copy these properties onto Object.prototype, affecting all objects in the application.
Impact
Successful exploitation can lead to denial of service (DoS) or remote code execution (RCE) due to the ability to override properties across the entire application [2]. The attacker can inject properties that alter the behavior of the application, potentially leading to full compromise.
Mitigation
The vulnerability is fixed in version 0.0.6 of @cookiex/deep [3][4]. Users should upgrade to this version or later. If upgrading is not possible, avoid passing untrusted objects to the deep() function as a workaround [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cookiex/deepnpm | < 0.0.7 | 0.0.7 |
Affected products
3- @cookiex/deep/@cookiex/deepdescription
Patches
1b5bea2b7f34afix: prototype pollution fix #1
1 file changed · +2 −2
src/assigner.ts+2 −2 modified@@ -1,12 +1,12 @@ const untracker = [ undefined, null ] - +const invalids = [ '__proto__', 'constructor', 'prototype' ] const Assigner = function( delegate: ( a: any, b: any ) => any, useuntrack: boolean = true ): ( ...args: any[] ) => any { const assigner = ( ...args: any[] ) => { - console.log( { args } ) return args.reduce( ( a, b ) => { if ( untracker.includes( a ) ) throw new TypeError( `can't convert ${a} to object` ) if ( useuntrack && untracker.includes( b ) ) return a Object.keys( b ).forEach( key => { + if ( invalids.includes( key ) ) return void 0 if ( untracker.includes( a[key] ) ) a[key] = b[key] else a[key] = delegate.call( this, a[key], b[key] ) } )
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-92v9-xh2q-fq9fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23442ghsaADVISORY
- github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88ghsax_refsource_MISCWEB
- github.com/tony-tsx/cookiex-deep/issues/1ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.