CVE-2026-25047: deepHas vulnerable to Prototype Pollution via constructor.prototype

January 29, 2026

A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

References

github.com/advisories/GHSA-2733-6c58-pf27
github.com/sharpred/deepHas
github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465
github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27
nvd.nist.gov/vuln/detail/CVE-2026-25047

Code Behaviors & Features

Detect and mitigate CVE-2026-25047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →