Intel

AIKIDO-2026-438647

@instana/core is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JS@instana/core
1.63.2 - 6.2.1
Fixed in 6.2.2
Are you affected? Scan for Free

TL;DR

The deepMerge utility in @instana/core (packages/core/src/util/deepMerge.js) recursively merges source objects into a target without filtering dangerous property keys. When a source object contains keys such as __proto__, constructor, or prototype (for example from JSON.parse of attacker-influenced input), the recursive merge writes onto Object.prototype, polluting every object in the runtime. This can enable application logic manipulation, property injection, and potential escalation depending on the consuming application. The fix updates deepMerge to skip these unsafe keys during the merge.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@instana/core is vulnerable to Prototype Pollution in versions 1.63.2 - 6.2.1.

How to fix this

Upgrade the @instana/core library to the patch version.