CVE-2018-3750
Prototype Pollution vulnerability in deep-extend (npm)
What is CVE-2018-3750 About?
This vulnerability affects `deep-extend` versions before 0.5.1 and is known as Prototype Pollution. It allows attackers to modify the prototype of fundamental JavaScript objects, potentially leading to arbitrary property injection and script execution. Exploitation requires the attacker to control input that is processed by `deep-extend`.
Affected Software
Technical Details
The deep-extend package, in versions prior to 0.5.1, is vulnerable to Prototype Pollution. This occurs because the library, when performing deep merging or extension of objects, does not adequately validate or sanitize keys, especially when processing recursively merged properties from user-controlled input. An attacker can inject a malicious property name such as __proto__ or constructor.prototype into the input data. When deep-extend merges this, it inadvertently modifies the prototype of Object.prototype, which is inherited by all JavaScript objects. This allows the attacker to add or modify properties that will then exist on every object in the application, leading to arbitrary property injection, data tampering, or even remote code execution depending on the context.
What is the Impact of CVE-2018-3750?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, bypass security checks, modify application behavior, or potentially achieve remote code execution.
What is the Exploitability of CVE-2018-3750?
Exploitation of this Prototype Pollution vulnerability typically involves providing specially crafted JSON or object input to an application that uses deep-extend. The complexity is moderate, as it requires knowledge of the deep-extend's merging logic and how to construct the malicious prototype-modifying payload. No direct authentication is necessarily required if the vulnerable merging operation processes unauthenticated user input. Privilege requirements are low, as an unauthenticated user could potentially trigger this. This can be a remote or local attack, depending on how user input is supplied to the application. The primary special condition is the application's use of deep-extend on untrusted input without proper validation. The likelihood of exploitation increases in applications that extensively use recursive object merging from user-controlled data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3750?
About the Fix from Resolved Security
The patch prevents assigning to the proto property by introducing a safeGetProperty function that returns undefined instead of allowing access to proto, thereby blocking prototype pollution attacks. This fixes CVE-2018-3750, which allowed attackers to inject properties into Object.prototype via deep object merge, potentially enabling denial-of-service or remote code execution vulnerabilities.
Available Upgrade Options
- deep-extend
- <0.5.1 → Upgrade to 0.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-hr2v-3952-633q
- https://www.npmjs.com/advisories/612
- https://hackerone.com/reports/311333
- https://github.com/advisories/GHSA-hr2v-3952-633q
- https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
- https://hackerone.com/reports/311333
- https://nvd.nist.gov/vuln/detail/CVE-2018-3750
What are Similar Vulnerabilities to CVE-2018-3750?
Similar Vulnerabilities: CVE-2018-16487 , CVE-2019-10744 , CVE-2020-28286 , CVE-2020-7712 , CVE-2021-23351
