Publish GHSA-2733-6c58-pf27

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-2733-6c58-pf27/GHSA-2733-6c58-pf27.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2733-6c58-pf27",
+  "modified": "2026-01-29T22:21:32Z",
+  "published": "2026-01-29T22:21:32Z",
+  "aliases": [
+    "CVE-2026-25047"
+  ],
+  "summary": "deepHas vulnerable to Prototype Pollution via constructor.prototype",
+  "details": "### Summary\nA prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.\n\n### Details\nThe vulnerability resides in the `add()` function and `indexer()` function implemented within `deepHas.js`. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC\n\nBy doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or __proto__.polluted resulting in prototype pollution.\n\nThis issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.\n\n### PoC\n#### Steps to reproduce\n1. Install version 1.0.7 of `deephas` using npm install\n2. Run one of the following code snippets:\n\n```javascript\n//PoC 1\nObject.prototype.hasOwnProperty = () => true;\nconsole.log({}.polluted);\nconst dh = require('deephas');\nlet obj = {};\ndh.set(obj, 'constructor.prototype.polluted', 'yes');\nconsole.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred\n```\nOR\n\n```javascript\n//PoC 2\nString.prototype.indexOf = () => -1;\nconsole.log({}.polluted);\nconst dh = require('deephas');\nlet obj = {};\ndh.set(obj, '__proto__.polluted', 'yes');\nconsole.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted and the property polluted becomes globally accessible.\nThis is printed on the console:\n```\nundefined\nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using `deephas.set` may be affected.\nIt could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n4. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "deephas"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sharpred/deepHas"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-29T22:21:32Z",
+    "nvd_published_at": null
+  }
+}