Prototype Pollution Vulnerability in Feathersjs Framework
CVE-2026-54335
3.7LOW
What is CVE-2026-54335?
The Feathersjs framework suffers from a prototype pollution vulnerability in its utility function _.merge(target, source) found in the @feathersjs/commons package. Versions 5.0.44 and earlier incorrectly handle properties when merging objects. If the source object, created using JSON.parse, contains proto, constructor, or prototype keys, these can be exposed as own-enumerable properties. This allows malicious users to manipulate Object.prototype, potentially corrupting the behavior of all plain objects in the application. The vulnerability has been addressed in version 5.0.45.
Affected Version(s)
feathers < 5.0.45
