GHSA-hhx9-57xq-r5rw: @hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Summary
The @hey-api/openapi-ts library has a vulnerability in its `buildClientParams` template where an attacker can inject a special key like `$query___proto__` to replace the prototype chain (the object that provides inherited properties) of generated request parameters. This affects all applications that use this library to generate SDKs (software development kits) and pass user-controlled data to those generated functions, particularly in proxy servers or API gateways.
Vulnerability Details
EPSS: 0.0%
Yes
July 1, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-hhx9-57xq-r5rw
First tracked: July 1, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%