GHSA-87mf-gv2c-c62cMediumCVSS 5.3

ts-deepmerge: Prototype Method Override leads to DoS

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

🎯 Affected products1

  • npm/ts-deepmerge:< 8.0.0

🔗 References (5)