Description
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
Scores
CVSS v3
5.3
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-248
Status
published
Products (2)
None/ts-deepmerge
< 8.0.0
npm/ts-deepmerge
0 - 8.0.0npm
Published
Jun 19, 2026
Tracked Since
Jun 19, 2026