Description
deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
Published: 2026-01-29
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution of global prototypes
Action: Immediate Patch
AI Analysis

Impact

deepHas provides a utility to test the existence of nested object keys and may optionally return that key. In version 1.0.7 a flaw allows an attacker to inject properties onto the global prototype via the constructor.prototype field, which can alter the behavior of all objects in the JavaScript runtime. This weakness is classified as CWE‑1321 and can lead to modification of global object behavior, potentially affecting confidentiality, integrity, and availability depending on how the library is used (inferred).

Affected Systems

The vulnerability affects the sharpred:deepHas npm package in version 1.0.7, which runs under Node.js. All applications that depend on this package and supply untrusted input to deepHas are impacted until they upgrade to version 1.0.8 or later.

Risk and Exploitability

The CVSS score is 9.4, indicating critical severity. The EPSS score is reported as less than 1%, suggesting that exploitation probability is low overall, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local code that depends on sharpred:deepHas and processes external data; an attacker can supply crafted input that modifies the prototype (inferred). The risk is significant because any target running the affected library becomes vulnerable to prototype pollution attacks (inferred).

Generated by OpenCVE AI on April 18, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the sharpred:deepHas package to version 1.0.8 or later
  • Audit project dependencies to ensure no other vulnerable versions of the package remain and lock the dependency tree
  • If an upgrade is not immediately possible, validate or sanitize all inputs passed to deepHas to prevent prototype manipulation, or eliminate the use of deepHas for untrusted data

Generated by OpenCVE AI on April 18, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2733-6c58-pf27 deepHas vulnerable to Prototype Pollution via constructor.prototype
History

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sharpred
Sharpred deephas
Vendors & Products Sharpred
Sharpred deephas

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
Title deepHas vulnerable to Prototype Pollution via constructor.prototype
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Sharpred Deephas
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:35:22.701Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25047

cve-icon Vulnrichment

Updated: 2026-01-30T14:48:56.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T22:15:55.647

Modified: 2026-02-25T15:13:28.610

Link: CVE-2026-25047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses