CVE-2026-46681: @nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

May 21, 2026

The _copyProps function in lib/src/object/copy.ts uses for…in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (proto, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.

References

github.com/advisories/GHSA-x7j8-49r8-mr43
github.com/nevware21/ts-utils/security/advisories/GHSA-x7j8-49r8-mr43
nvd.nist.gov/vuln/detail/CVE-2026-46681

Code Behaviors & Features

Detect and mitigate CVE-2026-46681 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →