Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization
- Severity:
- Medium
Description
A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.3.1
References
Related Issues
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
You might also like:
- Tags:
- npm
- @brikcss/merge
Anything's wrong? Let us know Last updated on April 23, 2026


