CVE-2026-25047

HIGH

deephas < 1.0.8 - Prototype Pollution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-25047. PoCs published by banyamer, XiaomingX, mbanyamer.

AI-analyzed exploit summary This Python script demonstrates a prototype pollution vulnerability in the 'deephas' npm package (versions <= 1.0.7) by exploiting unsafe recursive property assignment. It includes two proof-of-concept exploits that pollute Object.prototype via constructor.prototype and __proto__ paths, leading to potential RCE, DoS, or security bypass.

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Exploits (3)

exploitdb WORKING POC
by banyamer · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52528

This Python script demonstrates a prototype pollution vulnerability in the 'deephas' npm package (versions <= 1.0.7) by exploiting unsafe recursive property assignment. It includes two proof-of-concept exploits that pollute Object.prototype via constructor.prototype and __proto__ paths, leading to potential RCE, DoS, or security bypass.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: deephas npm package <= 1.0.7
No auth needed
Prerequisites: Node.js installed · [email protected] installed
devstral-2 · analyzed May 01, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25047

This repository contains a functional Python-based PoC demonstrating prototype pollution in the 'deephas' npm package (versions <= 1.0.7). The exploit leverages unsafe recursive property assignment to pollute Object.prototype via constructor.prototype and __proto__ paths, potentially leading to RCE or DoS.

Classification
Working Poc 100%
Attack Type
Rce | Dos
Complexity
Trivial
Reliability
Reliable
Target: deephas npm package <= 1.0.7
No auth needed
Prerequisites: Node.js installed · vulnerable deephas package (npm install [email protected])
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mbanyamer · poc
https://github.com/mbanyamer/deephas-1.0.7-Prototype-Pollution-PoC-CVE-2026-25047-

This repository contains a functional Python-based PoC demonstrating prototype pollution in the 'deephas' npm package (versions <= 1.0.7), leading to arbitrary code execution or DoS via unsafe recursive property assignment.

Classification
Working Poc 95%
Attack Type
Rce | Dos
Complexity
Trivial
Reliability
Reliable
Target: deephas npm package <= 1.0.7
No auth needed
Prerequisites: Node.js installed · [email protected] installed via npm
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0072
EPSS Percentile 48.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1321
Status published
Products (2)
npm/deephas 0 - 1.0.8npm
sharpred/deephas 1.0.7
Published Jan 29, 2026
Tracked Since Feb 18, 2026