Description
deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.
Published: 2026-05-28
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The deepobj library provides deep get, set, and delete operations on JavaScript objects. A flaw allows prototype pollution when property paths include the substrings __proto__, constructor, or prototype. Based on the description, it is inferred that if an application constructs such paths from user input, an attacker could inject arbitrary properties into the global Object prototype, altering behavior of all objects in the runtime. This vulnerability is identified as CWE-1321 and is resolved in version 1.0.3.

Affected Systems

Any deployment that uses ranfdev:deepobj prior to v1.0.3 and that accepts property paths from user input is affected. Projects relying on deepobj for deep object manipulation without validating or sanitizing property paths are at risk until they upgrade to v1.0.3 or later. Based on the description, it is inferred that accepting property paths as user input constitutes the attack vector.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. Exploit probability data is not available, and the vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been reported. Based on the description, it is inferred that the flaw can be triggered by any user-supplied property path that is not validated, effectively allowing an attacker to modify the Object prototype. The high score and potential impact identified by CWE-1321 maintain a significant risk, warranting prompt remediation.

Generated by OpenCVE AI on May 28, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade deepobj to version 1.0.3 or later to apply the vendor‑supplied fix.
  • Validate or sanitize all user‑supplied property paths, ensuring they contain none of the disallowed substrings (__proto__, constructor, prototype).
  • Implement runtime checks or use defensive coding patterns to verify that the Object prototype remains unaltered after any deep property operation.

Generated by OpenCVE AI on May 28, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x7q7-fchv-8h2j Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ranfdev
Ranfdev deepobj
Vendors & Products Ranfdev
Ranfdev deepobj

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.
Title deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Ranfdev Deepobj
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:52:51.541Z

Reserved: 2026-05-14T19:12:32.754Z

Link: CVE-2026-46509

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T19:16:39.280

Modified: 2026-05-28T19:16:39.280

Link: CVE-2026-46509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:48:06Z

Weaknesses