CVE-2026-6621
Prototype Pollution in 1024bit extend-deep index.js Enables Remote Exploitation
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the 1024bit extend-deep software up to version 0.1.6, specifically in an unknown function within the file index.js. It involves manipulation of the argument __proto__, which leads to improperly controlled modification of object prototype attributes. This flaw can be exploited remotely.
The vulnerability allows an attacker to alter the prototype of objects, potentially changing the behavior of the application in unintended ways.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized modification of object prototypes, which may result in unexpected application behavior, data corruption, or security bypasses.
Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to affected systems.
The CVSS scores indicate a medium to high severity, with impacts on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to perform prototype pollution, which can lead to remote code execution, unexpected application behavior, bypassing security checks, and denial of service. Such impacts can compromise the confidentiality, integrity, and availability of data and systems.
Because of these security risks, affected systems may fail to meet compliance requirements of common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure system operation.
However, the provided information does not explicitly state the direct effects on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the extend-deep package version 0.1.6 in your system improperly merges objects containing the __proto__ property, leading to prototype pollution.
A practical approach is to run a proof of concept that merges a malicious object with a __proto__ property into a target object using extend-deep and then check if the polluted property appears on unrelated objects.
While specific commands are not provided, you can write a small JavaScript script that uses extend-deep to merge an object like { __proto__: { polluted: 'yes' } } into another object, then check if {}.polluted returns 'yes'.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable extend-deep package version 0.1.6, especially since the code repository has not been active for many years and no fixes are likely available.
Consider removing or replacing extend-deep with a maintained alternative that properly sanitizes the __proto__ property to prevent prototype pollution.
Additionally, review your application code to ensure it does not merge untrusted input objects that could contain __proto__ properties.