PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12644 voodoocreation CVE debrief

CVE-2026-12644 is a vulnerability in ts-deepmerge, a package used for deep merging objects in TypeScript. Versions before 8.0.0 are susceptible to an Uncaught Exception due to improper handling of built-in Object.prototype methods such as toString and valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken, causing any string context operation to throw a TypeError and crash the application.

Vendor
voodoocreation
Product
ts-deepmerge
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-23
Advisory published
2026-06-19
Advisory updated
2026-06-23

Who should care

Developers and security teams using ts-deepmerge in their applications should be aware of this vulnerability. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM, indicating a moderate risk.

Technical summary

The vulnerability arises from ts-deepmerge's handling of Object.prototype methods. When merging objects, the package does not properly handle built-in methods like toString and valueOf. If user-controlled input includes these keys with non-function values, the merged object becomes malformed. Subsequent string operations on this object will throw a TypeError, leading to application crashes. This issue was addressed in version 8.0.0 of ts-deepmerge.

Defensive priority

Apply patches or upgrade to ts-deepmerge version 8.0.0 or later to mitigate this vulnerability. Review and validate user-controlled input to prevent malicious data from being merged.

Recommended defensive actions

  • Upgrade to ts-deepmerge version 8.0.0 or later
  • Validate and sanitize user-controlled input
  • Implement error handling for potential TypeErrors
  • Monitor applications for crashes related to string operations
  • Perform a thorough review of the application’s codebase to identify and address any similar issues
  • Ensure that all user-controlled input is properly validated and sanitized before being used in object merging
  • Consider implementing additional logging and monitoring to detect potential attacks

Evidence notes

The CVE record was published on 2026-06-19T06:17:01.640Z and was last modified on 2026-06-23T15:42:30.483Z. The NVD entry is currently Deferred. The vulnerability was reported by [email protected] and has a CVSS score of 5.5 with a severity of MEDIUM.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T06:17:01.640Z and has not been modified since then. The NVD entry is currently Deferred.