CVE-2026-25047

HIGH

NPM Deephas < 1.0.8 - Prototype Pollution

Title source: rule

Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25047

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by mbanyamer · poc

https://github.com/mbanyamer/deephas-1.0.7-Prototype-Pollution-PoC-CVE-2026-25047-

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465

[Vendor Advisory] https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-1321

Status published

Affected Products (2)

npm/deephas < 1.0.8npm

sharpred/deephas

Timeline

Published Jan 29, 2026

Tracked Since Feb 18, 2026