CVE-2021-25945

Vulnerability

The js-extend library (versions 0.0.1 through 1.0.1) is vulnerable to prototype pollution. The extend function does not properly restrict the modification of an object's prototype, allowing an attacker to inject properties into Object.prototype. This affects all applications that use the library to merge user-supplied objects without sanitization [1][3].

Exploitation

An attacker can exploit this by providing a crafted object with a __proto__ or constructor.prototype property to the extend function. No authentication is required if the application exposes the extend function to user input (e.g., via JSON parsing). The attacker can then pollute the global prototype, affecting all objects in the runtime [1][3].

Impact

Successful exploitation can lead to denial of service by causing unexpected behavior or crashes. In some contexts, prototype pollution can be escalated to remote code execution if the polluted property influences later code execution paths (e.g., template engines or configuration handlers) [1][3].

Mitigation

As of the available references, no official patch has been released for js-extend. Users should avoid using the library with untrusted input or migrate to an alternative library that is not vulnerable to prototype pollution. The library appears to be unmaintained [2][3].