PatchSiren cyber security CVE debrief
CVE-2026-46509 ranfdev CVE debrief
CVE-2026-46509 documents a prototype pollution vulnerability in the deepobj JavaScript library, affecting versions prior to 1.0.3. The library provides utility functions for deep object manipulation (get, set, delete operations). The vulnerability occurs when property paths containing special keys (__proto__, constructor, or prototype) are processed, allowing modification of Object.prototype. This can lead to application-wide logic corruption, denial of service, or in some cases remote code execution depending on downstream application behavior. The CVSS 3.1 score of 8.2 (HIGH) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high impact to integrity with low availability impact. The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The fix in version 1.0.3 addresses the unsafe path handling. Notably, the CVE description indicates the property path must not be exposed as user input for exploitation, suggesting this is primarily a defense-in-depth concern for applications that may inadvertently expose these paths.
- Vendor
- ranfdev
- Product
- deepobj
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations using deepobj in production JavaScript/Node.js applications, particularly those performing dynamic object manipulation with potentially influenced property paths. Security teams should prioritize this for applications with external input processing pipelines that construct object paths dynamically.
Technical summary
The deepobj library (prior to 1.0.3) fails to sanitize special property path segments (__proto__, constructor, prototype) during deep object operations. When these paths are processed, they can modify Object.prototype properties, causing prototype pollution. This is a classic JavaScript prototype pollution pattern where attacker-controlled input to object property resolution logic poisons the prototype chain. The vulnerability requires the property path to reach the vulnerable code path; the CVE description notes this path should not be user-exposed, indicating the primary risk is in applications that incorrectly expose internal path construction to external input. The fix in 1.0.3 properly handles these special keys to prevent prototype chain modification.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade deepobj to version 1.0.3 or later to remediate the prototype pollution vulnerability
- Audit application code to ensure property paths passed to deepobj functions are not derived from untrusted user input
- Implement input validation and sanitization for any dynamic property path construction before passing to deepobj
- Review downstream dependencies and applications using deepobj for potential prototype pollution exploitation chains
- Consider using Object.freeze(Object.prototype) as a runtime hardening measure where feasible
- Monitor for anomalous object behavior in applications using affected deepobj versions that may indicate active exploitation
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-x7q7-fchv-8h2j. NVD record shows vulnStatus as 'Received'. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L. CWE-1321 identified as primary weakness. Fix version 1.0.3 confirmed in advisory.
Official resources
-
CVE-2026-46509 CVE record
CVE.org
-
CVE-2026-46509 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28