CVE-2026-46509: Prototype Pollution in deepobj JavaScript Library
The deepobj library contains a prototype pollution vulnerability that allows attackers to manipulate JavaScript object prototypes through specially crafted property paths. When an application uses deepobj to get, set, or delete nested object properties—and exposes the property path to attacker input—an attacker can inject payloads using __proto__, constructor, or prototype keywords to corrupt the prototype chain. This can lead to unexpected behavior, denial of service, or in certain contexts, code execution. The vulnerability was resolved in version 1.0.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- Weaknesses (CWE)
- CWE-1321
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46509 is a prototype pollution vulnerability in deepobj prior to 1.0.3, classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The attack exploits insufficient input validation on property paths passed to the library's get, set, and delete functions. By including __proto__, constructor, or prototype in the path string, an attacker can reach and modify the shared prototype object. This affects the entire application context, as modifications to Object.prototype or function constructors persist across all subsequently created objects. The CVSS v3.1 score of 8.2 (HIGH) reflects high integrity impact and some availability risk, with network accessibility and no privilege requirements.
Business impact
Applications relying on deepobj to handle user-controlled property paths face integrity and availability risks. A successful exploit can corrupt application state, trigger unexpected logic flows, or cause denial of service. In multi-tenant or shared environments, prototype pollution can leak or modify data belonging to other users or components. The risk is highest in web applications, APIs, and microservices that accept user input and process nested objects without sanitization, such as configuration engines, object mappers, or REST API backends that deserialize JSON with dynamic key access.
Affected systems
Any Node.js or JavaScript application using deepobj versions prior to 1.0.3 is vulnerable, provided the application exposes property paths to user input. This includes web applications, API servers, CLI tools, and backend services that rely on the library for object manipulation. The vulnerability does not affect deepobj 1.0.3 and later. Applications in air-gapped or offline environments with no user input to property paths carry reduced risk.
Exploitability
Exploitability is high if property paths are derived from untrusted sources. The attack requires no authentication, no user interaction, and is achievable over the network. A proof-of-concept is straightforward: an attacker simply passes a path like 'constructor.prototype.isAdmin' or '__proto__.admin' to a deepobj function. Detection by automatic scanning is feasible because the attack signature (keywords in property paths) is consistent. However, if property paths are hardcoded and never user-controlled, the risk is negated. The attack does not require special environment conditions or JavaScript engine bugs.
Remediation
Immediate remediation is to upgrade deepobj to version 1.0.3 or later. This version implements safeguards against pollution via reserved keywords. Short-term mitigations while patching is planned include: (1) sanitizing or validating property paths before passing them to deepobj, explicitly rejecting paths containing __proto__, constructor, or prototype; (2) running the application with frozen Object.prototype using Object.freeze(Object.prototype) to limit pollution impact; (3) restricting untrusted input to non-object-related operations or using allowlists of known-safe property names. Do not rely on sandboxing alone, as prototype pollution is not prevented by most sandbox mechanisms.
Patch guidance
Update deepobj to version 1.0.3 or later in your package.json or lock files. Run `npm update deepobj` or equivalent for your package manager, then test the update in a staging environment before production rollout. Verify that the patched version is actually deployed by checking `npm list deepobj` in the target environment or examining dependency lock files. No breaking changes are documented in 1.0.3, so upgrades should be non-disruptive. If you maintain a private fork or custom build, apply the same mitigation logic: reject or escape __proto__, constructor, and prototype keywords in property paths.
Detection guidance
Monitor for suspicious property path patterns in logs and traffic. Look for: (1) HTTP requests or API payloads containing __proto__, constructor, or prototype in JSON keys or query parameters passed to object manipulation endpoints; (2) Unexpected modifications to Object.prototype or global function constructors (use static analysis or runtime monitoring tools); (3) Unusual error messages or type errors that suggest object corruption; (4) Spike in 500 errors or assertion failures if the application uses prototype-based validation. In code review, search for calls to deepobj functions (e.g., deepobj.get, deepobj.set, deepobj.delete) preceded by user input or external data that isn't validated. Static analysis tools that detect unsafe prototype manipulation patterns can flag vulnerable code automatically.
Why prioritize this
This vulnerability merits prompt attention due to its HIGH severity, network accessibility, and ease of exploitation if property paths are user-controlled. Unlike many object manipulation bugs, prototype pollution is not environment-specific and can be triggered in production with a single malicious request. Organizations running Node.js backends, APIs, or services that deserialize and process user-supplied objects should treat this as a priority fix. The 1.0.3 patch is readily available and low-risk to deploy, making remediation friction minimal.
Risk score, explained
The CVSS v3.1 score of 8.2 reflects: (1) Attack Vector Network (AV:N)—exploitation is remote over the network; (2) Attack Complexity Low (AC:L)—no special conditions or brute-force required; (3) Privileges Required None (PR:N)—attacker needs no prior access; (4) User Interaction None (UI:N)—automatic exploitation is feasible; (5) Scope Unchanged (S:U)—impact is confined to the vulnerable application; (6) Confidentiality None (C:N)—no direct information disclosure; (7) Integrity High (I:H)—object state and logic can be corrupted; (8) Availability Low (A:L)—denial of service is possible but not primary. The score is HIGH, not CRITICAL, because confidentiality is not impacted and the attack assumes user-controlled input paths, which may not be universal across all deepobj deployments.
Frequently asked questions
Does every application using deepobj need to patch immediately?
No. If your application never exposes property paths to user input—i.e., all paths are hardcoded or derived from trusted sources—the risk is negligible. However, if you accept path inputs from external users, APIs, or config files without validation, you should patch or mitigate urgently. Review your codebase for deepobj calls and trace the origin of their path arguments.
Is prototype pollution only a Node.js problem?
Prototype pollution is a JavaScript language issue that affects any JavaScript runtime, including browsers and Node.js. However, CVE-2026-46509 specifically impacts the deepobj library, which is primarily used in Node.js. Browser-based applications using deepobj (e.g., bundled via browserify or webpack) are also vulnerable if they pass user input to deepobj functions.
Can I stay on an older version of deepobj if I freeze Object.prototype?
Freezing Object.prototype will prevent pollution from persisting across the entire application, but it is not a bulletproof defense and may break legitimate code that relies on modifying prototypes. It is also a runtime check with performance overhead. Upgrading to 1.0.3 is the recommended approach because it fixes the root cause at the library level and is a simple one-line update.
What if I cannot upgrade deepobj immediately due to other dependencies?
First, verify that no other dependencies conflict with deepobj 1.0.3 by testing in an isolated environment. If a true conflict exists, apply input validation: wrap user input in a validation function that rejects or escapes __proto__, constructor, and prototype keywords before passing it to deepobj. Additionally, consider the feasibility of upgrading the conflicting dependency or switching to an alternative object manipulation library that is not vulnerable to prototype pollution.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. Specific patch effectiveness, compatibility, and organizational risk depend on your actual deployment, configuration, and use of deepobj. Always test patches in a staging environment before production rollout. SEC.co does not provide legal or compliance advice; consult your own security team and policies regarding remediation timelines. Information presented here is accurate to the best of our knowledge but may change as vendor advisories or threat intelligence evolves. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-45302HIGHPrototype Pollution in parse-nested-form-data Before 1.0.1
- CVE-2026-46510HIGHform-data-objectizer Prototype Pollution Vulnerability (CVSS 8.2)
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction