extend2@1.0.0 vulnerabilities

Port of jQuery.extend for node.js and the browser

Direct Vulnerabilities

Known vulnerabilities in the extend2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

extend2 is a forked from node-extend, the difference is overriding array as primitive when deep clone.

Affected versions of this package are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.

POC:


var e = require ("extend2")
e(true, {}, JSON.parse('{"__proto__": {"polluted": "yes"}}'))
console.log("Is polluted? " + "anything".polluted)

How to fix Prototype Pollution?

Upgrade extend2 to version 1.0.1 or higher.

<1.0.1