CVE-2018-3750

CRITICAL

deep-extend < 0.5.0 - Prototype Pollution via Utilities Function

Title source: llm
STIX 2.1

Description

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/311333

Scores

CVSS v3 9.8
EPSS 0.0215
EPSS Percentile 79.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
deep_extend_project/deep_extend < 0.5.0
npm/deep-extend 0 - 0.5.1npm
Published Jul 03, 2018
Tracked Since Feb 18, 2026