A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype. References: https://hackerone.com/reports/430831
Upstream commit: 2.0.x: https://github.com/dreamerslab/node.extend/commit/7e6135a5da16a755a28ffa596e14a07bf5e0c95b 1.1.x: https://github.com/dreamerslab/node.extend/commit/d63002dbc5ac2bc89c264a81bfb72769ec924f1b Note that this issue was reported for the node.extend package: https://www.npmjs.com/package/node.extend https://github.com/dreamerslab/node.extend What is included in various Red Hat products is extend package: https://www.npmjs.com/package/extend https://github.com/justmoon/node-extend
Closing this since I mistakenly confused nodejs.extend package with nodejs-extend. As noted bug 1672402, comment 1 this vulnerability is for nodejs.extend while the package we ship is nodejs-extend