CVE-2026-49252

critical

Description

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.

References

https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6

https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44

Details

Source: Mitre, NVD

Published: 2026-06-18

Updated: 2026-06-23

Risk Information

CVSS v2

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Severity: Critical

EPSS

EPSS: 0.0027