๐Ÿ” CVE Alert

CVE-2026-54335

LOW 3.7

Feathersjs: Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__

CVSS Score
3.7
EPSS Score
0.0%
EPSS Percentile
0th

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In 5.0.44 and earlier, the _.merge(target, source) utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keys(source). When source was produced by JSON.parse and contains a __proto__, constructor, or prototype key, that key is returned as an own-enumerable property; the recursive merge then resolves target['__proto__'] to Object.prototype and writes attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process. This issue is fixed in version 5.0.45.

CWE CWE-1321
Vendor feathersjs
Product feathers
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for feathersjs feathers

Be the first to know when new low vulnerabilities affecting feathersjs feathers are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

feathersjs / feathers
< 5.0.45

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/feathersjs/feathers/security/advisories/GHSA-28xv-ph75-77wh github.com: https://github.com/feathersjs/feathers/pull/3690 github.com: https://github.com/feathersjs/feathers/commit/28b3c03c63bdbff53115fdaa46c56980e7942acc github.com: https://github.com/feathersjs/feathers/releases/tag/v5.0.45