{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@theecryptochad/merge-guard--1.0.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@theecryptochad/merge-guard (\u003c 1.0.1)"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","javascript","node.js"],"_cs_type":"advisory","_cs_vendors":["TheeCryptoChad"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@theecryptochad/merge-guard\u003c/code\u003e npm package, specifically versions prior to 1.0.1, contains a prototype pollution vulnerability in its \u003ccode\u003edeepMerge()\u003c/code\u003e function. This vulnerability arises from the lack of sanitization of reserved property keys like \u003ccode\u003e__proto__\u003c/code\u003e during the recursive merging of objects. If an attacker can control the contents of the source object passed to \u003ccode\u003edeepMerge()\u003c/code\u003e, they can inject \u003ccode\u003e__proto__\u003c/code\u003e properties that modify the base \u003ccode\u003eObject.prototype\u003c/code\u003e. This pollution affects all objects within the Node.js runtime, potentially leading to privilege escalation, application logic bypass, or other unexpected behavior. Successful exploitation requires the application to use \u003ccode\u003edeepMerge()\u003c/code\u003e with user-controlled input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe application receives untrusted data from an external source (e.g., HTTP request, WebSocket message, config file).\u003c/li\u003e\n\u003cli\u003eThe untrusted data is parsed as a JSON object.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the JSON object to include a \u003ccode\u003e__proto__\u003c/code\u003e property with a malicious payload as its value. For example: \u003ccode\u003e{\u0026quot;__proto__\u0026quot;: {\u0026quot;isAdmin\u0026quot;: true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeepMerge()\u003c/code\u003e function is called with a target object and the attacker-controlled JSON object as the source.\u003c/li\u003e\n\u003cli\u003eDue to the missing sanitization, the \u003ccode\u003e__proto__\u003c/code\u003e property in the source object overwrites the \u003ccode\u003eObject.prototype\u003c/code\u003e with the malicious payload.\u003c/li\u003e\n\u003cli\u003eSubsequently, all objects in the Node.js runtime inherit the injected properties (e.g., \u003ccode\u003eisAdmin: true\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the polluted \u003ccode\u003eObject.prototype\u003c/code\u003e to bypass application logic or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s behavior is altered, potentially leading to data breaches, unauthorized access, or other security impacts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications using vulnerable versions of \u003ccode\u003e@theecryptochad/merge-guard\u003c/code\u003e and passing unsanitized user-supplied data to the \u003ccode\u003edeepMerge()\u003c/code\u003e function are at risk. An attacker can inject arbitrary properties onto \u003ccode\u003eObject.prototype\u003c/code\u003e, leading to privilege escalation and application logic bypass. The number of affected applications is currently unknown, but the risk is significant for applications that process untrusted input. A successful attack allows the attacker to modify the behavior of the entire Node.js application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@theecryptochad/merge-guard \u0026gt;= 1.0.1\u003c/code\u003e to remediate the vulnerability. This version adds a blocklist to prevent modification of \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, and \u003ccode\u003eprototype\u003c/code\u003e properties (see Remediation section in Content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prototype Pollution via deepMerge\u0026rdquo; to detect attempts to exploit this vulnerability via HTTP requests containing \u003ccode\u003e__proto__\u003c/code\u003e keys (see Rules).\u003c/li\u003e\n\u003cli\u003eSanitize all user-supplied data before passing it to \u003ccode\u003edeepMerge()\u003c/code\u003e to prevent the injection of malicious properties.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:10:52Z","date_published":"2026-05-11T16:10:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-merge-guard-prototype-pollution/","summary":"`@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function, allowing an attacker who controls the source object to inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime.","title":"@theecryptochad/merge-guard Prototype Pollution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-merge-guard-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — @Theecryptochad/Merge-Guard (\u003c 1.0.1)","version":"https://jsonfeed.org/version/1.1"}