GHSA-9v98-6g37-x9g6CriticalCVSS 9.9

deepstream is vulnerable to prototype pollution

Published
June 26, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.

Patches

Yes, upgrade to v10.0.5

Workarounds

Filter out all messages containing the path __proto__, constructor, prototype, before they reach the server's message pipeline

🎯 Affected products1

  • npm/@deepstream/server:< 10.0.5

🔗 References (4)