deepstream is vulnerable to prototype pollution
Critical severity
GitHub Reviewed
Published
May 25, 2026
in
deepstreamIO/deepstream.io
•
Updated Jun 26, 2026
Description
Published by the National Vulnerability Database
Jun 18, 2026
Published to the GitHub Advisory Database
Jun 26, 2026
Reviewed
Jun 26, 2026
Last updated
Jun 26, 2026
Impact
Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.
Patches
Yes, upgrade to v10.0.5
Workarounds
Filter out all messages containing the path
__proto__,constructor,prototype, before they reach the server's message pipelineReferences