node-extend is vulnerable to prototype pollution. The merging of the __proto__
property is not prevented and the Utilities function can be tricked into modifying the prototype of “Object” when the structure passed to these function is controlled by an attacker. This would allow adding or modifying existing properties that exist on all objects.