CVE-2026-12644

MEDIUM 5.3

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

CWE	CWE-248
Vendor	n/a
Product	ts-deepmerge
Published	Jun 19, 2026

Stay Ahead of the Next One

Get instant alerts for n/a ts-deepmerge

Be the first to know when new medium vulnerabilities affecting n/a ts-deepmerge are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

n/a / ts-deepmerge

0 < 8.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141 gist.github.com: https://gist.github.com/igorg1312/775fa00114c4d47df6ae0551779ab407 github.com: https://github.com/voodoocreation/ts-deepmerge/commit/305a05831a462fb2c353d3cbbff55a0733286f8c

Credits

Igor Garofano