CVE-2026-25047

CRITICAL EPSS 49.1%
Published Jan 29, 20265mo ago · Modified Jun 17, 20262w ago
9.4 CVSS 4.0
Critical
Find Similar
Published Jan 29, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

CVSS Details

Base Score
9.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
49.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1321

Affected Products 1

VendorProductVersionRange
sharpreddeephas1.0.7any

References 2

  • github.com https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465
    Patch
  • github.com https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465
    Patch