Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nam01LTgzY3ctcDNwMs0h4g
Prototype Pollution in extend2
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
Permalink: https://github.com/advisories/GHSA-gjm5-83cw-p3p2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nam01LTgzY3ctcDNwMs0h4g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-gjm5-83cw-p3p2, CVE-2021-23568
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23568
- https://github.com/eggjs/extend2/pull/2
- https://github.com/eggjs/extend2/commit/aa332a59116c8398976434b57ea477c6823054f8
- https://github.com/eggjs/extend2/blob/master/index.js%23L50-L60
- https://snyk.io/vuln/SNYK-JS-EXTEND2-2320315
- https://github.com/advisories/GHSA-gjm5-83cw-p3p2
Blast Radius: 24.1
Affected Packages
npm:extend2
Dependent packages: 248Dependent repositories: 2,015
Downloads: 134,048 last month
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 1.0.0
All unaffected versions: 1.0.1