PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54335 feathersjs CVE debrief

CVE-2026-54335 is a prototype pollution vulnerability in Feathersjs framework versions 5.0.44 and earlier. The vulnerability allows an attacker to pollute the prototype for all plain objects in the process for the lifetime of the Node process. This can lead to security issues if not properly mitigated. Affected deployments should be identified and owners assigned for follow-up.

Vendor
feathersjs
Product
feathers
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using Feathersjs framework versions 5.0.44 and earlier should be aware of this vulnerability and take necessary actions to mitigate it. They should review and validate input data, implement additional security measures to prevent prototype pollution, and update to version 5.0.45 or later.

Technical summary

The _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__, constructor, or prototype key, that key is returned as an own-enumerable property; the recursive merge then resolves target['__proto__'] to Object.prototype and writes attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process. This issue is fixed in version 5.0.45.

Defensive priority

Low

Recommended defensive actions

  • Update to version 5.0.45 or later
  • Review and validate input data
  • Implement additional security measures to prevent prototype pollution
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T22:17:44.840Z and has not been modified since then. The NVD entry is currently 3.7 (Low). The vulnerability affects Feathersjs framework versions 5.0.44 and earlier. Developers should verify their deployments and review official advisories for affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:44.840Z and has not been modified since then.