Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in…
hackerone·CWE-471·Published 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.
All versions of `utils-extend` are vulnerable to prototype pollution. The `extend` function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of `utils-extend` are vulnerable to prototype pollution. The `extend` function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Un fallo en la comprobación de entrada en el paquete npm utils-extend versiones anteriores a 1.0.8, puede permitir un ataque de contaminación prototipo que puede resultar en una ejecución de código remota o una denegación de servicio de aplicaciones que utilizan utils-extend.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.5 | 10.0 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |