CRITICAL 9.9

GHSA-9v98-6g37-x9g6

deepstream is vulnerable to prototype pollution

Details

### Impact Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.

### Patches Yes, upgrade to v10.0.5

### Workarounds Filter out all messages containing the path `__proto__`, `constructor`, `prototype`, **before they reach the server's message pipeline**

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @deepstream/server

Introduced in: 0 Fixed in: 10.0.5

Fix npm install @deepstream/server@10.0.5

References

https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-49252 [ADVISORY]
https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44 [WEB]
https://github.com/deepstreamIO/deepstream.io [PACKAGE]