deephas Prototype-Pollution Advisory

Prototype-pollution advisories are easy to overstate from dependency data alone. CVE-2020-28271 is critical in NVD and GitHub advisory scoring, but the useful scanner signal is still a precise dependency match: a project carrying deephas versions 1.0.0 through 1.0.5 should upgrade or replace the package and review object-path call sites.

The repo check looks for deephas dependency evidence in npm manifests and lockfiles. Lockfile entries produce the strongest signal because they identify a resolved affected version. The finding stays scoped to dependency evidence and does not claim FixVibe mutated Object.prototype, confirmed a DoS condition, or found a runtime RCE path.

If the affected deephas runtime processes attacker-controlled keys or object paths, prototype pollution can alter inherited object behavior and may lead to denial of service or worse gadget-dependent impact. A repo match should trigger dependency remediation and a focused review of untrusted-input paths before treating the issue as confirmed production exploitability.

Upgrade deephas to 1.0.8 or replace it with a maintained deep-path utility, regenerate the active lockfile, rebuild and redeploy the artifact, and review call sites that pass user-controlled keys such as object paths. Keep input schemas stripping prototype keys before they reach object merge or path helpers.