EXECUTIVE SUMMARY:
CVE-2026-25047 describes a prototype pollution vulnerability in the npm deepHas package that allows malicious actors to manipulate or modify an object’s prototype via unsafe handling of the constructor .prototype property. This flaw exists in affected versions earlier than 1.0.8, where the vulnerable logic could lead to unintended injection of properties into the global object prototype, potentially undermining application behavior and security. Prototype pollution can enable a range of impacts, such as denial of service, authentication bypass, or even remote code execution, depending on how the affected functions are used downstream. The issue has been rated with a high severity 9.4, indicating serious consequences if exploited.
RECOMMENDATION:
We strongly recommend you update deephas to version 1.0.8.
REFERENCES:
The following reports contain further technical details: