Description
deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.
Published: 2026-06-18
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a prototype pollution flaw (CWE‑1321) that allows authenticated users with write access to manipulate JavaScript object prototypes during synchronization. This flaw can elevate their privileges beyond the intended scope by injecting properties into shared objects, potentially giving them control over server‑side data structures. The CVSS score of 9.9 underscores its critical severity.

Affected Systems

All installations of DEEPSTREAM.io prior to version 10.0.5 are affected. The issue was addressed in release 10.0.5 and later versions.

Risk and Exploitability

Based on the description, the likely attack vector is an authenticated user possessing write permissions; no unauthenticated access is required. With no EPSS score available, the exploitation likelihood cannot be quantified. Though not listed in the CISA KEV catalog, the critical nature of the flaw warrants immediate mitigation.

Generated by OpenCVE AI on June 18, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to deepstream.io version 10.0.5 or later, which contains the prototype pollution fix.
  • Restrict write permissions for authenticated users to only essential operations and enforce least privilege principles.
  • Monitor server logs and configuration for unauthorized prototype modifications and enforce proper access controls.

Generated by OpenCVE AI on June 18, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.
Title deepstream is vulnerable to prototype pollution
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T20:01:31.307Z

Reserved: 2026-05-28T14:33:01.179Z

Link: CVE-2026-49252

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')