@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
- Severity:
- High
Description
The _copyProps function in lib/src/object/copy.ts uses for…in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (proto, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.
Recommendation
Update the @nevware21/ts-utils package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.13.0
- Patched version(s): 0.14.0
References
Related Issues
- Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
- Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
- Axios: Header Injection via Prototype Pollution - CVE-2026-42035
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
You might also like:
- Tags:
- npm
- @nevware21/ts-utils
Anything's wrong? Let us know Last updated on May 21, 2026