Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFybWMtZmo0NS1xZmMy
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
Recommendation
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFybWMtZmo0NS1xZmMy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 6 years ago
Updated: almost 2 years ago
EPSS Percentage: 0.00665
EPSS Percentile: 0.79564
Identifiers: GHSA-qrmc-fj45-qfc2, CVE-2018-16492
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16492
- https://hackerone.com/reports/381185
- https://github.com/advisories/GHSA-qrmc-fj45-qfc2
- https://www.npmjs.com/advisories/996
Affected Packages
npm:extend
Dependent packages: 6,106Dependent repositories: 6,640
Downloads: 133,427,074 last month
Affected Version Ranges: < 2.0.2, >= 3.0.0, < 3.0.2
Fixed in: 2.0.2, 3.0.2
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 2.0.1, 3.0.0, 3.0.1
All unaffected versions: 2.0.2, 3.0.2