DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MHWJ-73QX-JQXM: GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge()

#security #cve #cybersecurity #ghsa

GHSA-MHWJ-73QX-JQXM: Prototype Pollution in @theecryptochad/merge-guard via deepMerge()

Vulnerability ID: GHSA-MHWJ-73QX-JQXM
CVSS Score: 9.8
Published: 2026-05-11

The @theecryptochad/merge-guard JavaScript package version 1.0.0 is vulnerable to Prototype Pollution. The deepMerge() function fails to validate input keys during recursive object merging, allowing attackers to inject malicious properties into the global Object.prototype via the __proto__ accessor. This widespread environmental state alteration can lead to Denial of Service, business logic bypass, or Remote Code Execution depending on the presence of susceptible gadget chains in the application.

TL;DR

A missing input validation check in the deepMerge() function of @theecryptochad/merge-guard v1.0.0 permits Prototype Pollution. Attackers can supply a crafted JSON payload containing a __proto__ key to alter the global Object.prototype. The vulnerability is fixed in version 1.0.1 by implementing a restricted key denylist.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • Estimated CVSS: 9.8
  • Impact: DoS, Logic Bypass, RCE
  • Exploit Status: Proof of Concept Available
  • Vulnerable Component: deepMerge() function

Affected Systems

  • Node.js server applications utilizing @theecryptochad/merge-guard
  • Client-side web applications bundling @theecryptochad/merge-guard
  • @theecryptochad/merge-guard: < 1.0.1 (Fixed in: 1.0.1)

Code Analysis

Commit: 25e4b4f

Fix prototype pollution vulnerability by adding blocklist for dangerous keys

@@ -2,6 +2,10 @@
+const BLOCKED_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
 function deepMerge(target, source) {
   if (typeof source !== 'object' || source === null) return target;

   for (const key of Object.keys(source)) {
+    if (BLOCKED_KEYS.has(key)) continue;
+
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Provided Context PoC: Demonstrates arbitrary property injection onto the global Object.prototype via proto key.

Mitigation Strategies

  • Upgrade @theecryptochad/merge-guard to version 1.0.1
  • Implement strict input validation and JSON schema enforcement
  • Run Node.js with the --disable-proto=delete flag
  • Freeze the global prototype object using Object.freeze(Object.prototype) at startup

Remediation Steps:

  1. Audit project dependencies to identify the vulnerable package version.
  2. Update the package manager lockfile to require @theecryptochad/merge-guard@1.0.1.
  3. Execute automated tests to ensure the denylist patch does not break existing merge logic.
  4. Deploy the updated application build to production environments.

References

Read the full report for GHSA-MHWJ-73QX-JQXM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)