PT-2018-3979 · Node.Js · Extend

Asgerf

Published

2018-04-24

Updated

2019-10-09

CVE-2018-16492

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions extend versions prior to 2.0.2 extend versions prior to 3.0.2

Description A prototype pollution issue allows an attacker to inject arbitrary properties onto Object.prototype. This can be exploited by a remote attacker to add or modify properties of the object prototype, potentially affecting all objects. The extend module's extend() function is vulnerable, enabling attackers to modify the Object prototype.

Recommendations For extend version 2.x, upgrade to 2.0.2 or later. For extend version 3.x, upgrade to 3.0.2 or later.

Exploit

Fix

Special Elements Injection

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-400

Related Identifiers

BDU:2024-01410

CVE-2018-16492

GHSA-QRMC-FJ45-QFC2

Affected Products

Extend

PT-2018-3979 · Node.Js · Extend

CVE-2018-16492

Weakness Enumeration

Related Identifiers

Affected Products

References · 21