CVE-2018-16489

Vulnerability

The just-extend npm package versions prior to 4.0.0 contain a prototype pollution vulnerability in its extend function. The function recursively merges objects without proper sanitization of __proto__, constructor.prototype, or similar keys, allowing an attacker to inject arbitrary properties onto Object.prototype [1][2].

Exploitation

An attacker can exploit this by passing a crafted object with a __proto__ property to the extend function. For example, calling extend(true, {}, JSON.parse('{"__proto__": {"polluted": true}}')) will pollute the global Object prototype. No authentication or special privileges are required; the attacker only needs to control the input to the extend function [1][2].

Impact

Successful exploitation leads to prototype pollution, which can affect all objects in the application. This can result in unexpected behavior, denial of service, or potentially arbitrary code execution depending on how the polluted properties are used by the application. The vulnerability is rated critical (CVSS 9.8) [1][2].

Mitigation

Upgrade to just-extend version 4.0.0 or later, which fixes the issue by properly sanitizing prototype keys. The fix was released on February 7, 2019 [2]. No workaround is available for older versions; users must update the package.