PatchSiren cyber security CVE debrief
CVE-2026-12644 voodoocreation CVE debrief
CVE-2026-12644 is a vulnerability in ts-deepmerge, a package used for deep merging objects in TypeScript. Versions before 8.0.0 are susceptible to an Uncaught Exception due to improper handling of built-in Object.prototype methods such as toString and valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken, causing any string context operation to throw a TypeError and crash the application.
- Vendor
- voodoocreation
- Product
- ts-deepmerge
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-23
Who should care
Developers and security teams using ts-deepmerge in their applications should be aware of this vulnerability. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM, indicating a moderate risk.
Technical summary
The vulnerability arises from ts-deepmerge's handling of Object.prototype methods. When merging objects, the package does not properly handle built-in methods like toString and valueOf. If user-controlled input includes these keys with non-function values, the merged object becomes malformed. Subsequent string operations on this object will throw a TypeError, leading to application crashes. This issue was addressed in version 8.0.0 of ts-deepmerge.
Defensive priority
Apply patches or upgrade to ts-deepmerge version 8.0.0 or later to mitigate this vulnerability. Review and validate user-controlled input to prevent malicious data from being merged.
Recommended defensive actions
- Upgrade to ts-deepmerge version 8.0.0 or later
- Validate and sanitize user-controlled input
- Implement error handling for potential TypeErrors
- Monitor applications for crashes related to string operations
- Perform a thorough review of the application’s codebase to identify and address any similar issues
- Ensure that all user-controlled input is properly validated and sanitized before being used in object merging
- Consider implementing additional logging and monitoring to detect potential attacks
Evidence notes
The CVE record was published on 2026-06-19T06:17:01.640Z and was last modified on 2026-06-23T15:42:30.483Z. The NVD entry is currently Deferred. The vulnerability was reported by [email protected] and has a CVSS score of 5.5 with a severity of MEDIUM.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T06:17:01.640Z and has not been modified since then. The NVD entry is currently Deferred.