Critical severityNVD Advisory· Published Jan 29, 2026· Updated Feb 2, 2026

deepHas vulnerable to Prototype Pollution via constructor.prototype

CVE-2026-25047

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
deephasnpm	< 1.0.8	1.0.8

Affected products

Naturalintelligence/Deephasinferred
Range: <=1.0.7
Package: https://npmjs.com/package/deephas

Patches

8097fafd3776

Fix prototype pollution in deepHas and add regression tests

https://github.com/sharpred/deepHaskevgeoleoJan 28, 2026via ghsa

commit

3 files changed · +51 −2

deepHas.js+32 −2 modified

@@ -40,22 +40,52 @@ function reduce(obj, str) {
 
 }
 
+function splitOnDot(str) {
+  var result = [];
+  var current = "";
+  var i = 0;
+
+  while (i < str.length) {
+    if (str[i] === ".") {
+      result[result.length] = current;
+      current = "";
+    } else {
+      current = current + str[i];
+    }
+    i = i + 1;
+  }
+
+  result[result.length] = current;
+  return result;
+}
+
 function add(obj, str, val) {
     "use strict";
     try {
+        var items = splitOnDot(str);
         if (typeof str !== "string") {
             return;
         }
-        if (str.indexOf('__proto__') != -1) {
+        /*if (str.indexOf('__proto__') != -1) {
             throw "cannot modify prototype property";
+        }*/
+        var i = 0;
+        while (i < items.length) {
+            var k = items[i];
+
+            if ( k === "__proto__" || k === "constructor" || k === "prototype") {
+                throw "cannot modify prototype property";
+            }
+
+            i = i + 1;
         }
         if (typeof obj !== "object") {
             return;
         }
         if (!val) {
             return;
         }
-        var items = str.split('.');
+        //var items = str.split('.');
         var initial = items.slice(0, items.length - 1);
         var last = items.slice(items.length - 1);
         var test = initial.reduce(indexTrue, obj);

tests/testVulnerability2.js+9 −0 added

@@ -0,0 +1,9 @@
+var dh = require("../deepHas"),
+    should = require("should"),
+    obj;
+
+obj = {};
+
+Object.prototype.hasOwnProperty = () => true;
+dh.set(obj, 'constructor.prototype.polluted', 'yes');
+should.not.exist(obj.polluted);

tests/testVulnerability3.js+10 −0 added

@@ -0,0 +1,10 @@
+var dh = require("../deepHas"),
+    should = require("should"),
+    obj;
+
+obj = {};
+
+String.prototype.indexOf = () => -1;
+dh.set(obj, '__proto__.polluted', 'yes');
+should.not.exist(obj.polluted);
+obj.hasOwnProperty('polluted').should.equal(false);
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2733-6c58-pf27ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-25047ghsaADVISORY
github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465ghsax_refsource_MISCWEB
github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000