Versions of `just-extend` before 4.0.0 are vulnerable to prototype pollution. Provided certain input `just-extend` can add or modify properties of the `Object` prototype. These properties will be present on all objects.

## Recommendation

Update to version `4.0.0` or later.

Affected Packages

npm just-extend

Affected versions: 0 (fixed in 4.0.0)

Related CVEs

CVE-2018-16489

Key Information

GHSA ID

GHSA-675m-85rw-j3w4

Published

February 7, 2019 6:17 PM

Last Modified

September 7, 2023 6:30 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

just-extend

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.