Description
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
Published: 2026-06-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Versions of the ts-deepmerge library before 8.0.0 are vulnerable to an uncaught exception caused by improper handling of built‑in Object.prototype methods such as toString and valueOf. When user‑controlled input contains these keys with non‑function values, the resulting merged object becomes broken, and any subsequent string context operation throws a TypeError, crashing the application. This leads to a denial of service scenario that can disrupt availability and stability of the host application.

Affected Systems

The vulnerability affects the ts-deepmerge JavaScript/TypeScript library in all releases prior to version 8.0.0. Applications that use ts-deepmerge to merge objects and accept unsanitized user input are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector relies on user‑controlled input supplied to ts-deepmerge; an attacker could provide malicious payloads containing disallowed properties to trigger the exception. While no known widespread exploitation has been reported, the possibility of denial of service remains, and the lack of a KEV listing suggests limited public exploitation at present.

Generated by OpenCVE AI on June 19, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ts-deepmerge to version 8.0.0 or later to obtain the fixed implementation.
  • Sanitize or filter any user input before passing it to ts-deepmerge, removing or rejecting keys such as toString, valueOf, and other Object.prototype properties that are not functions.
  • Surround the deepmerge call with try‑catch error handling to catch TypeError exceptions and prevent application crashes, thereby ensuring graceful degradation.

Generated by OpenCVE AI on June 19, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87mf-gv2c-c62c ts-deepmerge: Prototype Method Override leads to DoS
History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Voodoocreation
Voodoocreation ts-deepmerge
Vendors & Products Voodoocreation
Voodoocreation ts-deepmerge

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Uncaught Exception in ts-deepmerge from Improper Handling of Object.prototype Methods

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Voodoocreation Ts-deepmerge
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-22T15:03:43.502Z

Reserved: 2026-06-18T18:00:17.870Z

Link: CVE-2026-12644

cve-icon Vulnrichment

Updated: 2026-06-22T15:03:01.118Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:54Z

Weaknesses