Detect Prototype Pollution in @deepstream/server (CVE-2026-49252) in IBM QRadar
CVE-2026-49252 is a critical prototype pollution vulnerability (CVSS 9.9) in @deepstream/server versions prior to 10.0.5. An attacker can manipulate JavaScript object prototypes via crafted deepstream messages, potentially leading to remote code execution, privilege escalation, or denial of service within the Node.js server process.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip, destinationip, destinationport,
"username", "processname", QIDNAME(qid) AS EventName,
CATEGORYNAME(category) AS Category,
UTF8(payload) AS RawPayload
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('LinuxSyslog', 'WindowsAuthServer', 'NodeJS')
AND (
UTF8(payload) ILIKE '%deepstream%'
OR "processname" ILIKE '%deepstream%'
)
AND (
UTF8(payload) ILIKE '%__proto__%'
OR UTF8(payload) ILIKE '%constructor%'
OR UTF8(payload) ILIKE '%prototype%'
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 1000 QRadar AQL query scanning syslog and Node.js log sources for deepstream process events containing prototype pollution payload indicators in raw event payloads.
Data Sources
Required Tables
False Positives & Tuning
- Application debug logs that include full object representations referencing prototype chains
- SIEM data ingestion pipelines that transform and re-log JSON including prototype keys
- Security tools performing automated scanning that generate deepstream-tagged log events
Other platforms for CVE-2026-49252
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deepstream Prototype Pollution via Crafted Client Message
Expected signal: Node.js application logs should show receipt of a record set message with __proto__ key; process monitoring may show unexpected property on Object.prototype after message processing
- Test 2deepstream Server Version Enumeration
Expected signal: Process execution event for node reading package.json; stdout output containing version string below 10.0.5 confirms vulnerability
- Test 3Prototype Pollution Object Property Verification
Expected signal: Node.js process execution with inline script; stdout output 'YES - VULNERABLE' confirms Object.prototype susceptibility
Unlock Pro Content
Get the full detection package for CVE-2026-49252 including response playbook, investigation guide, and atomic red team tests.