CVE-2026-49252

Prototype Pollution in @deepstream/server (CVE-2026-49252)

CVE-2026-49252 is a critical prototype pollution vulnerability (CVSS 9.9) in @deepstream/server versions prior to 10.0.5. An attacker can manipulate JavaScript object prototypes via crafted deepstream messages, potentially leading to remote code execution, privilege escalation, or denial of service within the Node.js server process.

Vulnerability Intelligence

Public PoC

What is CVE-2026-49252 Prototype Pollution in @deepstream/server (CVE-2026-49252)?

Prototype Pollution in @deepstream/server (CVE-2026-49252) (CVE-2026-49252) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Prototype Pollution in @deepstream/server (CVE-2026-49252), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation
Microsoft Sentinel / Defender
kusto
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (ProcessCommandLine has "deepstream" or ProcessCommandLine has "@deepstream/server")
    or (InitiatingProcessCommandLine has "deepstream")
| extend SuspiciousPayload = iff(
    ProcessCommandLine has "__proto__" or ProcessCommandLine has "constructor" or ProcessCommandLine has "prototype",
    true, false
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, RemoteIP, RemotePort, SuspiciousPayload
| order by TimeGenerated desc

Detects process and network activity associated with deepstream server processes, flagging command lines or spawned children that contain prototype pollution indicators (__proto__, constructor, prototype).

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate deepstream administrative scripts referencing prototype keywords in benign contexts
  • Security scanning tools probing deepstream endpoints for vulnerability assessment
  • Development environments running test suites that exercise prototype manipulation code paths

Sigma rule & cross-platform mapping

The detection logic for Prototype Pollution in @deepstream/server (CVE-2026-49252) (CVE-2026-49252) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deepstream Prototype Pollution via Crafted Client Message

    Expected signal: Node.js application logs should show receipt of a record set message with __proto__ key; process monitoring may show unexpected property on Object.prototype after message processing

  2. Test 2deepstream Server Version Enumeration

    Expected signal: Process execution event for node reading package.json; stdout output containing version string below 10.0.5 confirms vulnerability

  3. Test 3Prototype Pollution Object Property Verification

    Expected signal: Node.js process execution with inline script; stdout output 'YES - VULNERABLE' confirms Object.prototype susceptibility

Unlock Pro Content

Get the full detection package for CVE-2026-49252 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections