CVE-2018-3750

NameCVE-2018-3750
DescriptionThe utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs926616

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-deep-extend (PTS)stretch0.4.1-1vulnerable
buster0.4.1-2fixed
bullseye0.6.0-1fixed
sid, trixie, bookworm0.6.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-deep-extendsource(unstable)0.4.1-2unimportant926616

Notes

https://nodesecurity.io/advisories/612
nodejs not covered by security support
Search for package or bug name: Reporting problems