CVE Catalog

CVE-2026-12644

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken, leading to TypeError crashes.

Risk Assessment

The organization may experience application crashes, resulting in service downtime and potential financial losses. Improper handling of input data may also lead to unforeseen application behavior.

Recommendation

It is recommended to update the ts-deepmerge package to version 8.0.0 or later to mitigate this vulnerability. Additionally, conducting a code audit to ensure proper handling of input data is advisable.

Original NVD description (English source)

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS