nodejs-extend before versions 2.0.2 and 3.0.2 is vulnerable to prototype pollution. Utilities function can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object. External Reference: https://snyk.io/vuln/npm:extend:20180424 Upstream Patch: https://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190 Upstream Pull Request: https://github.com/justmoon/node-extend/pull/48
Created nodejs-extend tracking bugs for this issue: Affects: epel-7 [bug 1608142] Affects: fedora-all [bug 1608141]
More info about "Prototype Pollution": https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96
Statement: Red Hat Quay includes 'extend' as a build time dependency. It's not used at runtime reducing the impact of this vulnerability to low.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917