CVE-2026-25047
CRITICAL
CVSS 9.4
No EPSS data
Description
deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-25047",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 8.8,
"attackVector": "LOCAL",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 6,
"exploitabilityScore": 2
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 9.4,
"Automatable": "NOT_DEFINED",
"attackVector": "LOCAL",
"baseSeverity": "CRITICAL",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"vulnAvailabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-01-29T22:15:55.647",
"references": [
{
"url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465",
"tags": [
"Patch"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."
},
{
"lang": "es",
"value": "deepHas proporciona una prueba para la existencia de una clave de objeto anidado y opcionalmente devuelve esa clave. Existe una vulnerabilidad de contaminaci\u00f3n de prototipos en la versi\u00f3n 1.0.7 del paquete npm deephas que permite a un atacante modificar el comportamiento de objetos globales. Este problema fue solucionado en la versi\u00f3n 1.0.8."
}
],
"lastModified": "2026-02-25T15:13:28.610",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sharpred:deephas:1.0.7:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "0D998147-9A29-4864-97BD-88D814F73D54"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}