PatchSiren cyber security CVE debrief
CVE-2026-54335 feathersjs CVE debrief
CVE-2026-54335 is a prototype pollution vulnerability in Feathersjs framework versions 5.0.44 and earlier. The vulnerability allows an attacker to pollute the prototype for all plain objects in the process for the lifetime of the Node process. This can lead to security issues if not properly mitigated. Affected deployments should be identified and owners assigned for follow-up.
- Vendor
- feathersjs
- Product
- feathers
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using Feathersjs framework versions 5.0.44 and earlier should be aware of this vulnerability and take necessary actions to mitigate it. They should review and validate input data, implement additional security measures to prevent prototype pollution, and update to version 5.0.45 or later.
Technical summary
The _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__, constructor, or prototype key, that key is returned as an own-enumerable property; the recursive merge then resolves target['__proto__'] to Object.prototype and writes attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process. This issue is fixed in version 5.0.45.
Defensive priority
Low
Recommended defensive actions
- Update to version 5.0.45 or later
- Review and validate input data
- Implement additional security measures to prevent prototype pollution
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T22:17:44.840Z and has not been modified since then. The NVD entry is currently 3.7 (Low). The vulnerability affects Feathersjs framework versions 5.0.44 and earlier. Developers should verify their deployments and review official advisories for affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:44.840Z and has not been modified since then.