Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.
AnalysisAI
Prototype pollution in extend-deep npm package (up to 0.1.6) enables remote attackers to manipulate JavaScript object prototypes via crafted __proto__ payloads, achieving low-severity confidentiality, integrity, and availability impacts. Public exploit code exists on GitHub. CVSS 7.3 with network attack vector and no authentication required. Project repository inactive for years, making official patch unlikely. EPSS data unavailable, but prototype pollution attacks are well-understood and automatable. Not listed in CISA KEV, suggesting limited widespread exploitation despite public POC.
Technical ContextAI
The extend-deep library (cpe:2.3:a:1024bit:extend-deep) is a JavaScript utility for deep object merging, commonly used in Node.js applications. This vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), the classic prototype pollution class. When extend-deep processes untrusted input containing __proto__ keys in index.js, it fails to sanitize property names during recursive object extension. Attackers can inject properties into Object.prototype, affecting all JavaScript objects in the application's runtime. This is a widespread vulnerability pattern in legacy JavaScript merge utilities predating modern secure-by-default alternatives. The affected package exists in the npm ecosystem and may be deeply embedded in dependency trees despite project abandonment.
RemediationAI
No vendor-released patch exists or will be released given the project's multi-year abandonment (RL:X). Primary remediation is dependency replacement: migrate to actively maintained alternatives such as lodash.merge (with prototype pollution protections enabled), deepmerge (version 4.3.0+), or native Object.assign/spread operators for shallow merging. Use npm audit or yarn audit to identify direct and transitive dependencies on extend-deep, then update parent packages that pull it in or fork/patch the dependency chain. Immediate compensating controls: implement input validation to reject or strip __proto__, constructor, and prototype keys before passing objects to extend-deep; deploy Object.freeze(Object.prototype) at application startup to prevent prototype modifications (may break legitimate code); run applications with --frozen-intrinsics flag in Node.js 18+ to lock built-in prototypes. Note that freezing prototypes can cause compatibility issues with legacy libraries expecting mutable prototypes. Runtime application self-protection (RASP) solutions can detect prototype pollution attempts. For containerized deployments, use minimal base images and dependency pinning to prevent introducing the package in new builds. Long-term: establish dependency lifecycle management to sunset unmaintained packages before vulnerabilities emerge.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23812
GHSA-vr46-pfqh-wpf8