Uncaught Exception Vulnerability in ts-deepmerge Package by Voodoo Creation
CVE-2026-12644

6.9MEDIUM

Key Information:

Vendor: Voodoo Creation
Status: Ts-deepmerge
Vendor: CVE Published:; 19 June 2026

🔔 Create Voodoo Creation Vulnerability Alert

What is CVE-2026-12644?

The ts-deepmerge package prior to version 8.0.0 is vulnerable to an uncaught exception due to its inadequate handling of built-in Object.prototype methods, such as toString and valueOf. This vulnerability allows an attacker to exploit the application by providing user-controlled input that contains these keys with non-function values. As a result, the merged object becomes unstable, and any operation requiring a string context will trigger a TypeError, ultimately crashing the application.

Affected Version(s)

ts-deepmerge 0 < 8.0.0

References

https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141

https://gist.github.com/igorg1312/775fa00114c4d47df6ae055...

https://github.com/voodoocreation/ts-deepmerge/commit/305...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

Igor Garofano

CVE-2026-12644 Data

JSON