CVE-2026-25047

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465	Patch
https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*

History

25 Feb 2026, 15:13

Type	Values Removed	Values Added
References	~~() https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465 -~~	() https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465 - Patch
References	~~() https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27 -~~	() https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:sharpred:deephas:1.0.7:::::node.js::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Sharpred deephas Sharpred

04 Feb 2026, 16:34

Type	Values Removed	Values Added
Summary		(es) deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminación de prototipos en la versión 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versión 1.0.8.

29 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-29 22:15

Updated : 2026-02-25 15:13

NVD link : CVE-2026-25047

Mitre link : CVE-2026-25047

CVE.ORG link : CVE-2026-25047

JSON object : View

Products Affected

sharpred

deephas

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2026-25047", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-29T22:15:55.647", "references": [{"url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."}, {"lang": "es", "value": "deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminaci\u00f3n de prototipos en la versi\u00f3n 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versi\u00f3n 1.0.8."}], "lastModified": "2026-02-25T15:13:28.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0D998147-9A29-4864-97BD-88D814F73D54"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}