CVE-2026-12644

An attacker supplies a JSON payload containing keys such as `toString` or `valueOf` with a non-function value (e.g. a string). When the application calls `merge()` on this user-controlled input, the blocklist only rejects `__proto__`, `constructor`, and `prototype` — it does not filter built-in `Object.prototype` methods. The merged object therefore overwrites those methods with the attacker's value. Any subsequent string-context operation (template literal, concatenation, array join) on the result throws a `TypeError`, crashing the application [ref_id=1]. No authentication or special network position is required beyond the ability to inject JSON into a merge call.

The patch introduces a `UNSAFE_KEYS` Set that includes `toString`, `valueOf`, `hasOwnProperty`, `isPrototypeOf`, `propertyIsEnumerable`, and `toLocaleString` alongside the previously blocked keys [patch_id=6590899]. The inline array check `["__proto__", "constructor", "prototype"].includes(key)` is replaced with `UNSAFE_KEYS.has(key)`, ensuring that any attempt to overwrite these built-in `Object.prototype` methods is silently skipped during merge. This prevents the merged object from losing its expected function properties, thereby avoiding the `TypeError` crash in string-context operations.

```js const { merge } = require('ts-deepmerge'); const userInput = JSON.parse('{"toString": "<img src=x onerror=alert(1)>"}'); const config = { title: 'Hello', theme: 'dark' }; const result = merge(config, userInput); console.log(typeof result.toString); // 'string' `${result}` // TypeError: Cannot convert object to primitive value ``` [ref_id=1]