Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

## Recommendation

If you're using `extend` 3.x upgrade to 3.0.2 or later.
If you're using `extend` 2.x upgrade to 2.0.2 or later.

Affected Packages

npm extend

Affected versions: 3.0.0 (fixed in 3.0.2)

npm extend

Affected versions: 0 (fixed in 2.0.2)

Related CVEs

CVE-2018-16492

Key Information

GHSA ID

GHSA-qrmc-fj45-qfc2

Published

February 7, 2019 6:03 PM

Last Modified

August 31, 2020 6:43 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

extend

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.