CVE-2026-25047 CRITICAL

CVE-2026-25047: deepHas vulnerable to Prototype Pollution via constructor.prototype

Vendor Sharpred
Product deepHas
Weakness CWE-1321
Published January 29, 2026
Last update February 2, 2026

CVSS base score

9.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Key dates

02Disclosure timeline

January 29, 2026 CVE published
February 2, 2026 Record updated