CVE-2018-16492
Prototype Pollution in extend
9.8
CRITICAL
CVSS 3.1
EPSS 2.5%
Description
Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. ## Recommendation If you're using `extend` 3.x upgrade to 3.0.2 or later. If you're using `extend` 2.x upgrade to 2.0.2 or later.
How to fix CVE-2018-16492
To remediate CVE-2018-16492, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.2-1 or later
- —upgrade to 3.0.2 or later
Is CVE-2018-16492 being exploited?
Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.0.2-1
- >= 3.0.0, < 3.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |