Threat Advisory

nevware21 ts-utils Vulnerability Facilitates JavaScript Object Abuse via Untrusted Source

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46681 with a CVSS score of 7.2 is a prototype pollution vulnerability in the npm/@nevware21/ts-utils package. This vulnerability arises from the _copyProps function in lib/src/object/copy.ts, which uses a for...in loop to iterate over source object properties without an Object.hasOwnProperty check, allowing an attacker to pollute the prototype chain of all objects in the application. An attacker can exploit this vulnerability by providing a malicious object with a proto key, such as through untrusted JSON input, and leveraging the lack of filtering to overwrite the target's prototype. If exploited, this vulnerability grants the capability to manipulate the behavior of objects in the application, leading to potential business impact and consequences, including data corruption, unintended functionality, and security breaches, provided that an attacker has access to injecting malicious objects into the application and has the capability to leverage the affected functionality.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-46681 with a CVSS score of 7.2 is a prototype pollution vulnerability in the npm/@nevware21/ts-utils package. This vulnerability arises from the _copyProps function in lib/src/object/copy.ts, which uses a for...in loop to iterate over source object properties without an Object.hasOwnProperty check, allowing an attacker to pollute the prototype chain of all objects in the application. An attacker can exploit this vulnerability by providing a malicious object with a proto key, such as through untrusted JSON input, and leveraging the lack of filtering to overwrite the target's prototype. If exploited, this vulnerability grants the capability to manipulate the behavior of objects in the application, leading to potential business impact and consequences, including data corruption, unintended functionality, and security breaches, provided that an attacker has access to injecting malicious objects into the application and has the capability to leverage the affected functionality.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update @nevware21/ts-utils to version 0.14.0 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-x7j8-49r8-mr43

[/emaillocker]
crossmenu