CVE-2026-54335 in feathersinfo

Summary

by MITRE • 07/17/2026

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In 5.0.44 and earlier, the _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__, constructor, or prototype key, that key is returned as an own-enumerable property; the recursive merge then resolves target['__proto__'] to Object.prototype and writes attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process. This issue is fixed in version 5.0.45.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability exists within the Feathersjs framework version 5.0.44 and earlier, specifically within the @feathersjs/commons utility library that provides the _.merge function. The flaw stems from improper handling of prototype pollution during recursive object merging operations, creating a significant security risk that affects all applications using the affected version.

The technical implementation of this vulnerability occurs when the .merge function processes objects created through JSON.parse that contain prototype-polluting keys such as __proto_, constructor, or prototype. These keys, when present in parsed JSON data, become enumerable properties due to their nature in JavaScript object enumeration. The recursive merge process then iterates over Object.keys(source) which includes these problematic keys, allowing them to be written into the target object's prototype chain. When target['_proto_'] is assigned values from source, it directly modifies Object.prototype itself rather than just the target object's own properties.

The operational impact of this vulnerability is severe and persistent within Node.js processes, as prototype pollution affects all plain objects throughout the application lifecycle. Once an attacker successfully injects malicious data containing these prototype-polluting keys, they can manipulate the behavior of fundamental JavaScript objects including Object.prototype methods and properties. This creates a broad attack surface where subsequent operations on any plain object in the application could be influenced by the polluted prototype, potentially leading to arbitrary code execution, denial of service, or data manipulation attacks.

The vulnerability aligns with CWE-471, which specifically addresses "Modification of Externally-Controllable Data Structure," and maps to ATT&CK technique T1059.006 for JavaScript/TypeScript environment exploitation. This prototype pollution issue demonstrates a classic insecure deserialization pattern where untrusted input is processed without proper sanitization before being merged into application objects. The persistent nature of this vulnerability means that once exploited, the polluted prototype remains active for the entire Node.js process lifetime, making it particularly dangerous in long-running applications.

Applications using Feathersjs version 5.0.44 or earlier should immediately upgrade to version 5.0.45 or later to resolve this security issue. Additional mitigations include implementing strict input validation and sanitization for all JSON data processed through the merge utility, removing prototype-polluting keys from user-supplied data before merging operations, and employing defensive programming practices such as using Object.freeze on critical prototype objects. Organizations should also consider monitoring their applications for potential prototype pollution attacks and implementing runtime protections that detect anomalous prototype modifications.

Responsible

GitHub M

Reservation

06/12/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!