<0.1% probability · 18.2th percentile — 2026-05-12
Affected versions
Extend-Deep npm package versions up to 0.1.6
Summary
This vulnerability exists in the unmaintained extend-deep Node.js package, allowing remote attackers to modify object prototype attributes via crafted input. Prototype pollution flaws can often be chained to achieve remote code execution in applications depending on the vulnerable package. The project's repository has been abandoned for many years, so no official fix was ever released by the original developer.
Remediation
Remove the abandoned extend-deep package from all project dependencies and replace it with an actively maintained alternative. If full removal is not immediately possible, restrict untrusted user input from reaching the vulnerable function in index.js. Audit your dependency tree to confirm no downstream packages pull in the vulnerable code.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.