CVE-2024-38990
Description
Prototype pollution in Tada5hi sp-common v0.5.4 via mergeDeep allows arbitrary code execution or DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in Tada5hi sp-common v0.5.4 via mergeDeep allows arbitrary code execution or DoS.
A prototype pollution vulnerability was discovered in Tada5hi sp-common version 0.5.4, specifically in the mergeDeep function [1]. This flaw occurs when the function improperly handles the __proto__ property, allowing an attacker to inject arbitrary properties into the object's prototype [1].
To exploit this vulnerability, an attacker provides a crafted argument to mergeDeep containing a property like __proto__ with malicious keys [1]. The attack does not require authentication or special network position, as it can be triggered client-side or server-side depending on usage [1].
Successful exploitation can result in altering the behavior of all objects that inherit from the affected prototype, potentially leading to Denial of Service (DoS), remote code execution (RCE), or cross-site scripting (XSS) attacks, depending on the application's gadgets [1].
As of the advisory, version 0.5.4 is known to be affected; users should check for patched versions or apply workarounds such as sanitizing input to mergeDeep [1]. The vulnerability has a CVSS v3 base score of 6.3 (Medium) [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 0.5.4+ 1 more
- (no CPE)range: = 0.5.4
- (no CPE)range: = 0.5.4
Package: https://npmjs.com/package/sp-common
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in mergeDeep allows the __proto__ property to pollute Object.prototype."
Attack vector
An attacker with low-privilege access can call the `mergeDeep` function with a crafted object containing the special property `__proto__` [ref_id=1]. Because the function recursively merges properties without filtering `__proto__`, it pollutes `Object.prototype` with attacker-controlled values [CWE-94]. This can alter the behavior of all objects inheriting from the affected prototype, potentially leading to denial of service, remote code execution, or cross-site scripting depending on available gadgets [ref_id=1]. The attack is network-reachable and requires no user interaction.
Affected code
The vulnerable function is `mergeDeep` in the `@abip/sp-common` package version 0.5.4 [ref_id=1]. The function does not sanitize or block the `__proto__` property key during deep merge operations, allowing prototype pollution to occur.
What the fix does
No patch is published in the bundle. The advisory [ref_id=1] identifies that the `mergeDeep` function fails to block or sanitize the `__proto__` property key during deep merge operations. To remediate, the package should either disallow keys matching `__proto__`, `constructor.prototype`, or similar prototype-altering properties, or use a safe merge utility (e.g., `Object.create(null)` for the target) that prevents prototype pollution.
Preconditions
- inputAttacker must be able to call the mergeDeep function with a crafted argument containing __proto__
- authAttacker must have low-privilege access (PR:L per CVSS)
Reproduction
(async () => { const lib = await import('@abip/sp-common'); var victim = {}; console.log("Before Attack: ", JSON.stringify(victim.__proto__)); try { lib.mergeDeep(emptyObj, JSON.parse('{"__proto__":{"test":123}}')); } catch (e) { } console.log("After Attack: ", JSON.stringify(victim.__proto__)); delete Object.prototype.polluted; })();
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.