Intel

AIKIDO-2026-887444

@75lb/deep-merge is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

56

Medium Risk

This Affects:

JS@75lb/deep-merge
1.0.0 - 1.1.3
Fixed in 1.1.4
Are you affected? Scan for Free

TL;DR

@75lb/deep-merge deep-merges the values of one object into another using a lodash assignWith customiser that recurses into every own property of the source. When the source is produced by JSON.parse, __proto__ is a real own enumerable property, so the customiser merges into it and writes through to Object.prototype. Untrusted input passed into the merge can therefore pollute the global object prototype, corrupting application logic and enabling denial of service or further escalation. The fix adds a guard that refuses to merge into __proto__, constructor, and prototype keys.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application merges untrusted input, such as parsed JSON, into an object.

Background info

@75lb/deep-merge is vulnerable to Prototype Pollution in versions 1.0.0 - 1.1.3.

How to fix this

Upgrade the @75lb/deep-merge library to the patch version.