VYPR
← All advisories
High severity7.2NVD Advisory· Published May 21, 2026

@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

CVE-2026-46681

Description

Summary

The _copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (__proto__, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.

Details

In _copyProps() (copy.ts lines 186-191), the code iterates all enumerable properties including inherited ones and dangerous keys like __proto__. Any object with a __proto__ key (e.g., from untrusted JSON input) will overwrite the target's prototype.

PoC

const malicious = JSON.parse('{"__proto__": {"polluted": true}}');
objDeepCopy(malicious);
console.log({}.polluted); // true

Suggested

Fix

Add objHasOwnProperty check and filter __proto__, constructor, prototype keys.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

_copyProps in ts-utils uses for...in without hasOwnProperty check, allowing prototype pollution via malicious JSON input.

Vulnerability

The _copyProps function in lib/src/object/copy.ts iterates over source object properties using a for...in loop without checking Object.hasOwnProperty and without filtering dangerous keys like __proto__, constructor, and prototype. This allows an attacker to pollute the prototype chain of all objects in the application [1][2].

Exploitation

An attacker can supply a crafted JSON object containing a __proto__ key, for example {"__proto__": {"polluted": true}}. When this object is passed to objDeepCopy or similar functions, the _copyProps function assigns the nested properties directly to the target's prototype, leading to global prototype pollution [1].

Impact

Successful exploitation results in prototype pollution, which can affect all objects within the application. This can lead to various security issues, including property injection, denial of service, or potentially remote code execution depending on how the polluted properties are used [1][2].

Mitigation

The issue is fixed by adding a hasOwnProperty check and filtering out dangerous keys (__proto__, constructor, prototype) in the _copyProps function. Users should update to the patched version of the ts-utils library as soon as possible [1].

References
  1. Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
  2. CVE-2026-46681 - GitHub Advisory Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.