Uncaught Exception

CVE-2026-12644

Medium

5.5/10

Summary

ts-deepmerge versions prior to 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in `Object.prototype` methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken any string context operation throws a `TypeError`, crashing the application.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-248 - Uncaught Exception

An exception is thrown from a function, but it is not caught.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Jun 19, 2026

Uncaught Exception

CVE-2026-12644

Summary

CWE-248 - Uncaught Exception

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS