PT-2026-42530 — Prototype Pollution in Npm @Theecryptochad/Merge-Guard

PT-2026-42530 · Npm · @Theecryptochad/Merge-Guard

Published

2026-05-11

Updated

2026-05-11

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject proto keys that mutate Object.prototype, affecting all objects in the Node.js runtime.

Details

The deepMerge() function recursively merges two objects without sanitizing reserved property keys (proto, constructor, prototype). When a source object contains a proto key, its value is assigned to target. proto , which JavaScript engines interpret as a write to Object.prototype.

Proof of Concept

const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{" proto ":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is polluted

Impact

Any application using deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.

Remediation

Upgrade to @theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:

const BLOCKED = new Set([' proto ', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;

References

CWE-1321: Improper Neutralization of Special Elements in Object Keys
[OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype Pollution)
Fix commit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

GHSA-MHWJ-73QX-JQXM

Affected Products

@Theecryptochad/Merge-Guard