Prototype Pollution in just-extend

Severity:: High

Description

Versions of just-extend before 4.0.0 are vulnerable to prototype pollution. Provided certain input just-extend can add or modify properties of the Object prototype. These properties will be present on all objects.

Recommendation

Update the just-extend package to the latest compatible version. Followings are version details:

Affected version(s): < 4.0.0
Patched version(s): 4.0.0

References

GHSA-675m-85rw-j3w4
hackerone.com
www.npmjs.com
CVE-2018-16489
CWE-1321
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in extend - CVE-2018-16492
mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574) - CVE-2018-16487
Prototype Pollution in lodash - CVE-2018-3721

Tags:: npm; just-extend

Anything's wrong? Let us know Last updated on September 07, 2023