CVE-2026-12644
Received Received - Intake
ts-deepmerge Prototype Pollution Leading to Uncaught Exception

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Snyk

Description
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken β€” any string context operation throws a TypeError, crashing the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12644
EUVD
EUVD-2026-37991
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
voodoocreation ts_deepmerge to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12644 is a vulnerability in the ts-deepmerge package versions before 8.0.0 caused by improper handling of built-in Object.prototype methods such as toString and valueOf.

When user-controlled input contains these keys with non-function values, the merged object becomes corrupted. This corruption causes any string context operation, like template literals or concatenation, to throw a TypeError exception, which crashes the application.

The root cause is that the merge() function's blocklist only protected against overrides of __proto__, constructor, and prototype, but did not include other dangerous Object.prototype methods. This allowed attackers to override these methods with non-function values, leading to application crashes.

Impact Analysis

This vulnerability can cause your application to crash unexpectedly due to uncaught TypeError exceptions when performing string operations on merged objects.

An attacker can exploit this by providing malicious input containing keys like toString or valueOf with non-function values, leading to denial-of-service (DoS) conditions.

Since the vulnerability requires no special privileges or user interaction and can be exploited remotely, it poses a risk of application downtime and instability.

Detection Guidance

This vulnerability can be detected by checking if your project uses the ts-deepmerge package in versions before 8.0.0, as these versions are vulnerable to crashes caused by improper handling of Object.prototype methods.

You can detect the vulnerable package version by running commands to inspect your installed packages, such as:

  • npm list ts-deepmerge
  • yarn list ts-deepmerge

Additionally, monitoring application logs for TypeError exceptions related to string context operations (e.g., template literals or concatenation) involving toString, valueOf, or other Object.prototype methods may indicate exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the ts-deepmerge package to version 8.0.0 or later, where the vulnerability has been fixed by expanding the blocklist of unsafe Object.prototype keys.

If upgrading is not immediately possible, ensure that user-controlled input does not contain keys like toString, valueOf, hasOwnProperty, isPrototypeOf, propertyIsEnumerable, or toLocaleString with non-function values before merging.

Review and apply patches or fixes from the official repository that extend the blocklist to prevent prototype pollution attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart