CVE-2026-25047

Name of the Vulnerable Software and Affected Versions deephas version 1.0.7 deephas versions prior to 1.0.8

Description A prototype pollution issue exists in the deephas npm package. This allows an attacker to modify global object behavior by injecting properties into Object.prototype. The issue resides in the add() function and indexer() function within deepHas.js. The vulnerability can be bypassed by manipulating Object.prototype.hasOwnProperty or String.prototype.indexOf. Exploitation can lead to authentication bypass, denial of service, and potentially remote code execution if polluted properties are passed to vulnerable sinks.

Recommendations deephas versions prior to 1.0.8 should be updated to version 1.0.8 or later.