Critical Prototype Pollution in deephas npm Package (CVE‑2026‑25047) Enables Remote Code Execution in Node.js Applications
What Happened — The open‑source npm module deephas (versions ≤ 1.0.7) contains a prototype‑pollution flaw (CVE‑2026‑25047, CVSS 9.8). An attacker who can supply arbitrary keys to deephas.set() can corrupt Object.prototype, leading to remote code execution, denial‑of‑service, and privilege escalation in Node.js runtimes.
Why It Matters for TPRM —
- The library is widely used across SaaS, cloud‑native, and micro‑service stacks, exposing many third‑party vendors to a critical code‑execution vector.
- Exploitation can bypass sandboxing mechanisms (e.g., vm2), compromising the confidentiality and integrity of customer data hosted by the vendor.
- The vulnerability is actively exploitable in the wild, raising the likelihood of supply‑chain compromise.
Who Is Affected — Technology SaaS providers, cloud‑infrastructure platforms, API providers, and any organization that bundles the vulnerable deephas version in its product or CI/CD pipeline.
Recommended Actions —
- Immediately upgrade
deephasto ≥ 1.0.8 across all environments. - Conduct a dependency‑scan (SBOM) to identify any transitive usage of the package.
- Apply runtime hardening (e.g., Node.js
--disable-prototype-pollutionflags, CSP, and sandbox restrictions). - Monitor logs for unusual
Object.prototypemodifications or unexpected process environment changes.
Technical Notes — Attack vector: malicious input to deephas.set() (prototype pollution) → Object.prototype contamination → arbitrary code execution via polluted properties such as process.env or require.extensions. CVE‑2026‑25047 (GHSA‑2733‑6c58‑pf27), CVSS 9.8 (Critical). Affected platforms: Node.js 16/18/20 on Linux, macOS, Windows. Source: Exploit‑DB 52528