CVE-2018-16492
Prototype Pollution vulnerability in extend (npm)
What is CVE-2018-16492 About?
This vulnerability is a Prototype Pollution flaw in `extend` versions prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x). It allows attackers to modify or add properties to the Object prototype, which can lead to various integrity or availability issues across the application. Exploitation can be relatively easy if attacker-controlled input is passed to the vulnerable function.
Affected Software
- extend
- <2.0.2
- >3.0.0, <3.0.2
Technical Details
The extend() function in affected versions of the extend library is susceptible to prototype pollution due to improper handling of object merging. An attacker can supply a specially crafted object as input, which includes properties named __proto__. When extend() attempts to merge this object, it recursively merges properties, leading to the __proto__ property being processed. This allows the attacker to inject arbitrary properties or overwrite existing ones directly onto the global Object.prototype, affecting all subsequent JavaScript objects in the application's execution context.
What is the Impact of CVE-2018-16492?
Successful exploitation may allow attackers to corrupt application data, bypass security controls, or cause a denial of service due to unexpected object behavior.
What is the Exploitability of CVE-2018-16492?
Exploitation requires the attacker to be able to control input passed to the extend() function. The complexity level is low to moderate, as it involves crafting a specific JSON or JavaScript object payload containing the __proto__ property. Authentication requirements vary based on whether the vulnerable function is reachable from unauthenticated inputs. No specific privileges are needed beyond the ability to submit a crafted payload. This vulnerability can be exploited remotely if the input originates from a network request, or locally if processing untrusted local data. The risk of exploitation increases when an application merges untrusted data without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| dsp-testing | Link | PoC for CVE-2018-16492 |
What are the Available Fixes for CVE-2018-16492?
About the Fix from Resolved Security
The patch prevents prototype pollution by ensuring that properties named proto are safely defined as own properties on the target object using Object.defineProperty, rather than allowing assignment that could alter the prototype chain. This change fixes CVE-2018-16492 by blocking the ability to exploit object merging to tamper with Object.prototype and potentially execute arbitrary code or alter object behavior application-wide.
Available Upgrade Options
- extend
- <2.0.2 → Upgrade to 2.0.2
- extend
- >3.0.0, <3.0.2 → Upgrade to 3.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/381185
- https://osv.dev/vulnerability/GHSA-qrmc-fj45-qfc2
- https://security.snyk.io/vuln/npm:extend:20180424
- https://hackerone.com/reports/381185
- https://nvd.nist.gov/vuln/detail/CVE-2018-16492
- https://github.com/advisories/GHSA-qrmc-fj45-qfc2
- https://www.npmjs.com/advisories/996
What are Similar Vulnerabilities to CVE-2018-16492?
Similar Vulnerabilities: CVE-2018-16469 , CVE-2019-11358 , CVE-2019-10744 , CVE-2020-28282 , CVE-2020-8270
