CVE-2018-3750: Input Validation

Published May 15, 2018
·
Updated

Node.js deep-extend module could provide weaker than expected security, caused by a flaw in the Utilities function. A remote attacker could exploit this vulnerability to launch further attacks on the system.

Other sources

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

MITRE

Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution.

Recommendation

Update to version 0.5.1 or later.

GitHub

Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Under certain circumstances an attacker can add or modify properties that will exist on all objects.

External References:

https://nodesecurity.io/advisories/612 https://hackerone.com/reports/311333

Red Hat

Affected Software

8 affected componentsFixes available
redhat/nodejs-deep-extend<0.5.1
0.5.1
npm/deep-extend<0.5.1
0.5.1
IBM Cloud Pak for Security (CP4S)<=1.6.0.1
IBM Cloud Pak for Security (CP4S)<=1.6.0.0
IBM Cloud Pak for Security (CP4S)<=1.5.0.1
IBM Cloud Pak for Security (CP4S)<=1.5.0.0
IBM Cloud Pak for Security (CP4S)<=1.4.0.0
Deep Extend Project Deep Extend Node.js<=0.5.0

Event History

Jul 3, 2018
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
Description
Oct 9, 2018
Advisory Published
via GitHub·12:44 AM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2018-3750?

CVE-2018-3750 is a vulnerability in the deep-extend module of Node.js that could result in weaker than expected security.

2

How can an attacker exploit CVE-2018-3750?

An attacker can exploit CVE-2018-3750 by tricking the utilities function in the deep-extend module into modifying the prototype of Object.

3

What is the severity of CVE-2018-3750?

CVE-2018-3750 has a severity rating of 9.8 (critical).

4

Which versions of deep-extend are affected by CVE-2018-3750?

All versions <= 0.5.0 of the deep-extend module are affected by CVE-2018-3750.

5

How do I fix CVE-2018-3750?

To fix CVE-2018-3750, update to version 0.5.1 of the deep-extend module.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203