Description
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update the extend package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.1.3, < 2.0.2 >= 3.0.0, < 3.0.2** Patched version(s): **2.0.2 3.0.2**
References
Related Issues
- Prototype Pollution in just-extend - CVE-2018-16489
- mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
- Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574) - CVE-2018-16487
- Prototype Pollution in lodash - CVE-2018-3721
- Tags:
- npm
- extend
Anything's wrong? Let us know Last updated on January 22, 2026