CVE-2026-49252 Google Chronicle · YARA-L

Detect Prototype Pollution in @deepstream/server (CVE-2026-49252) in Google Chronicle

CVE-2026-49252 is a critical prototype pollution vulnerability (CVSS 9.9) in @deepstream/server versions prior to 10.0.5. An attacker can manipulate JavaScript object prototypes via crafted deepstream messages, potentially leading to remote code execution, privilege escalation, or denial of service within the Node.js server process.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cve_2026_49252_deepstream_prototype_pollution {
  meta:
    author = "df00tech Detection Platform"
    description = "Detects prototype pollution exploitation attempts against @deepstream/server (CVE-2026-49252)"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/advisories/GHSA-9v98-6g37-x9g6"
  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $e.target.process.command_line = /deepstream/ nocase
        OR $e.principal.process.command_line = /deepstream/ nocase
      )
    ) OR (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      AND $e.target.port = 6020
    )
    AND (
      $e.target.process.command_line = /__proto__/ nocase
      OR $e.target.process.command_line = /constructor/ nocase
    )
  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule detecting deepstream process launches or network connections on default deepstream ports combined with prototype pollution payload indicators in command line arguments.

Data Sources

Chronicle UDM (Process Launch events)Chronicle UDM (Network Connection events)

Required Tables

UDM Events

False Positives & Tuning

  • Legitimate deepstream server management commands that reference constructor in benign contexts
  • Security scanning integrations that probe deepstream endpoints as part of authorized assessments
  • CI/CD pipelines running integration tests against deepstream that exercise prototype-related test cases

Other platforms for CVE-2026-49252


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deepstream Prototype Pollution via Crafted Client Message

    Expected signal: Node.js application logs should show receipt of a record set message with __proto__ key; process monitoring may show unexpected property on Object.prototype after message processing

  2. Test 2deepstream Server Version Enumeration

    Expected signal: Process execution event for node reading package.json; stdout output containing version string below 10.0.5 confirms vulnerability

  3. Test 3Prototype Pollution Object Property Verification

    Expected signal: Node.js process execution with inline script; stdout output 'YES - VULNERABLE' confirms Object.prototype susceptibility

Unlock Pro Content

Get the full detection package for CVE-2026-49252 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections