@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
- Severity:
- High
Description
The _copyProps function in lib/src/object/copy.ts uses for…in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (proto, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.
Recommendation
Update the @nevware21/ts-utils package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.13.0
- Patched version(s): 0.14.0
References
Related Issues
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-es - CVE-2026-2950
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
You might also like:
- Tags:
- npm
- @nevware21/ts-utils
Anything's wrong? Let us know Last updated on May 21, 2026


