Description
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
Published: 2026-06-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Versions of the ts-deepmerge library before 8.0.0 are vulnerable to an uncaught exception caused by improper handling of built‑in Object.prototype methods such as toString and valueOf. When user‑controlled input contains these keys with non‑function values, the resulting merged object becomes broken, and any subsequent string context operation throws a TypeError, crashing the application. This leads to a denial of service scenario that can disrupt availability and stability of the host application.

Affected Systems

The vulnerability affects the ts-deepmerge JavaScript/TypeScript library in all releases prior to version 8.0.0. Applications that use ts-deepmerge to merge objects and accept unsanitized user input are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector relies on user‑controlled input supplied to ts-deepmerge; an attacker could provide malicious payloads containing disallowed properties to trigger the exception. While no known widespread exploitation has been reported, the possibility of denial of service remains, and the lack of a KEV listing suggests limited public exploitation at present.

Generated by OpenCVE AI on June 19, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ts-deepmerge to version 8.0.0 or later to obtain the fixed implementation.
  • Sanitize or filter any user input before passing it to ts-deepmerge, removing or rejecting keys such as toString, valueOf, and other Object.prototype properties that are not functions.
  • Surround the deepmerge call with try‑catch error handling to catch TypeError exceptions and prevent application crashes, thereby ensuring graceful degradation.

Generated by OpenCVE AI on June 19, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Uncaught Exception in ts-deepmerge from Improper Handling of Object.prototype Methods

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-19T05:00:00.666Z

Reserved: 2026-06-18T18:00:17.870Z

Link: CVE-2026-12644

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses