1024bit Extend-Deep Prototype Pollution Vulnerability
Vulnerability
A prototype pollution vulnerability has been identified in the 1024bit extend-deep package, specifically in version 0.1.6. The issue arises from an unknown function in the file index.js, where the package improperly sanitizes the __proto__ property during object merging. This flaw allows remote attackers to manipulate the global Object.prototype, injecting properties that affect all objects within the application. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability leads to prototype pollution, allowing for remote code execution, injection of properties into the Object.prototype that propagate to all objects, bypassing security checks, and causing denial-of-service conditions by overriding critical methods.
Reproduction
To reproduce this vulnerability, merge a malicious object containing a __proto__ property into a target object using the extend-deep function. The merged object's prototype will be polluted, injecting properties that can be accessed through any object in the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.