Prototype Pollution

Vulnerability

The object-extend package (all versions up to the report) is vulnerable to Prototype Pollution. The extend function performs an unsafe recursive merge of objects without proper checks for __proto__, constructor, or prototype properties, allowing an attacker to inject arbitrary properties into the global Object prototype. [2]

Exploitation

An attacker can exploit this vulnerability by passing a crafted object with a __proto__ property to the extend function. This can occur if the application merges user-supplied data into an object using object-extend. The recursive merge will traverse into __proto__ and pollute Object.prototype, affecting all objects in the application. [2]

Impact

Successful exploitation leads to Prototype Pollution, which can cause denial of service (JavaScript exceptions) or, in more severe scenarios, tamper with application logic and potentially enable remote code execution. The impact depends on how the polluted properties are used by the application. [2]

Mitigation

No specific fix or patched version has been disclosed in the available references. Users should avoid using object-extend with untrusted input or consider using a different library that does not have this vulnerability. [2]