Vulnerability Summary Severity: Critical CVE ID: CVE-2026-25047 Package: deephas (npm) Affected Version: 1.0.7 Patched Version: 1.0.8 Vulnerability Description A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package, allowing an attacker to modify global object behavior. This issue was fixed in version 1.0.8. Details The vulnerability resides in the function and function implemented within deepHas.js. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership and forbidden string usage, these checks can be bypassed. Proof of Concept (PoC) Steps to Reproduce 1. Install version 1.0.7 of deephas using . 2. Run the following code snippets: OR Expected Behavior Prototype pollution should be prevented, and should not gain new properties. Actual Behavior Object.prototype is polluted, and the property becomes globally accessible. Impact This prototype pollution vulnerability can have severe security implications, potentially leading to: 1. Authentication bypass 2. Denial of service 3. Remote code execution