CVE-2026-12644
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken, leading to TypeError crashes.
Risk Assessment
The organization may experience application crashes, resulting in service downtime and potential financial losses. Improper handling of input data may also lead to unforeseen application behavior.
Recommendation
It is recommended to update the ts-deepmerge package to version 8.0.0 or later to mitigate this vulnerability. Additionally, conducting a code audit to ensure proper handling of input data is advisable.
Original NVD description (English source)
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

