CVE-2026-48819
Received Received - Intake

Prototype Pollution in Hey API SDK Generation

Vulnerability report for CVE-2026-48819, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Hey API is an ecosystem for turning API specifications into production-ready code. Prior to 0.97.3, dist/clients/core/params.ts ships a runtime template copied into generated SDKs as params.gen.ts, and buildClientParams writes unknown slot-prefixed keys such as $body_, $headers_, $path_, and $query_ directly to the corresponding slot, allowing $query___proto__ alongside a legitimate q field to set params.query through params["query"]["__proto__"] = value, call Object.setPrototypeOf(params.query, value), and expose inherited attacker-controlled keys during for..in iteration. This issue is fixed in version 0.97.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hey-api openapi-ts to 0.97.3 (exc)
hey-api openapi-ts 0.97.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Hey API versions before 0.97.3. It involves a template file that generates code for SDKs. The issue allows attackers to inject special keys like $query___proto__ into API parameters. These keys can manipulate the prototype chain of objects, potentially exposing or modifying inherited properties during iteration.

Detection Guidance

This vulnerability is specific to the Hey API ecosystem and involves prototype pollution in generated SDKs. Detection requires checking if your Hey API version is below 0.97.3. Inspect generated SDK files like params.gen.ts for unsafe slot-prefixed keys such as $query___proto__.

Impact Analysis

An attacker could exploit this to access or alter sensitive data by manipulating API parameters. This might lead to unauthorized data exposure, data corruption, or unexpected behavior in applications using affected SDKs. The impact depends on how the API is used in your system.

Mitigation Strategies

Upgrade Hey API to version 0.97.3 or later to address the prototype pollution issue. Review and regenerate all SDKs to ensure the fix is applied. Remove any custom modifications to params.gen.ts that may reintroduce the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart