Prototype Pollution Vulnerability in Feathersjs Framework
CVE-2026-54335

3.7LOW

Key Information:

Vendor

Feathersjs

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-54335?

The Feathersjs framework suffers from a prototype pollution vulnerability in its utility function _.merge(target, source) found in the @feathersjs/commons package. Versions 5.0.44 and earlier incorrectly handle properties when merging objects. If the source object, created using JSON.parse, contains proto, constructor, or prototype keys, these can be exposed as own-enumerable properties. This allows malicious users to manipulate Object.prototype, potentially corrupting the behavior of all plain objects in the application. The vulnerability has been addressed in version 5.0.45.

Affected Version(s)

feathers < 5.0.45

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.