Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

Description

A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.3.1

References

• GHSA-3jc6-6r48-v6qf
• vuldb.com
• CVE-2026-6594
• CWE-1321
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
• CASL Ability is Vulnerable to Prototype Pollution - CVE-2026-1774
• @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation - CVE-2025-53626
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@brikcss/merge