CVE-2021-26707
Description
merge-deep before 3.0.3 allows prototype pollution via a constructor payload, overwriting Object.prototype properties and enabling attacks on Node.js applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
merge-deep before 3.0.3 allows prototype pollution via a constructor payload, overwriting Object.prototype properties and enabling attacks on Node.js applications.
Vulnerability
The merge-deep library for Node.js, versions before 3.0.3, is susceptible to prototype pollution. The library attempts to block merges into __proto__, but fails to prevent pollution of Object.prototype via a specially crafted object using the constructor.prototype property path. The fix in version 3.0.3 adds an isValidKey function that rejects keys __proto__, constructor, and prototype. [1][2]
Exploitation
An attacker can exploit this by providing a malicious JSON payload to a function that uses merge-deep. For example, merging a crafted object like {"constructor": {"prototype": {"isAdmin": true}}} will set Object.prototype.isAdmin to true, even though the merge may throw an exception (since Object.prototype cannot be reassigned, but can be mutated). The attacker does not need authentication or special network access beyond being able to supply the payload, e.g., via an API endpoint or config file. [2]
Impact
Successful exploitation results in prototype pollution, where properties are added or overwritten on Object.prototype. This can lead to unpredictable behavior, privilege escalation, denial of service, or remote code execution depending on the application context. For instance, if an application checks user.isAdmin, after the pollution any object will inherit isAdmin: true. [2]
Mitigation
Upgrade to merge-deep version 3.0.3 or later, released on 2021-01-13, which blocks keys __proto__, constructor, and prototype. No workaround is available for earlier versions. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [2][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
merge-deepnpm | < 3.0.3 | 3.0.3 |
Affected products
2- Node.js/merge-deepdescription
Patches
111e5dd56de8aadd isValidKey function to ensure only valid keys are merged
2 files changed · +6 −1
index.js+5 −1 modified@@ -32,7 +32,7 @@ module.exports = function mergeDeep(orig, objects) { function merge(target, obj) { for (var key in obj) { - if (key === '__proto__' || !hasOwn(obj, key)) { + if (!isValidKey(key) || !hasOwn(obj, key)) { continue; } @@ -57,3 +57,7 @@ function hasOwn(obj, key) { function isObject(val) { return typeOf(val) === 'object' || typeOf(val) === 'function'; } + +function isValidKey(key) { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +} \ No newline at end of file
.travis.yml+1 −0 modified@@ -17,4 +17,5 @@ node_js: matrix: fast_finish: true allow_failures: + - node_js: 'node' - node_js: '0.8'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-r6rj-9ch6-g264ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-26707ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2020-160-merge-deepghsaADVISORY
- github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210716-0008ghsaWEB
- security.netapp.com/advisory/ntap-20210716-0008/mitrex_refsource_CONFIRM
- securitylab.github.com/advisories/GHSL-2020-160-merge-deep/mitrex_refsource_MISC
- www.npmjs.com/package/merge-deepghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.