{"api_version":"1","generated_at":"2026-04-23T04:08:42+00:00","cve":"CVE-2018-3750","urls":{"html":"https://cve.report/CVE-2018-3750","api":"https://cve.report/api/cve/CVE-2018-3750.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-3750","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-3750"},"summary":{"title":"CVE-2018-3750","description":"The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2018-07-03 21:29:00","updated_at":"2018-08-23 13:12:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/311333","name":"https://hackerone.com/reports/311333","refsource":"MISC","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-3750","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3750","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"3750","vulnerable":"1","versionEndIncluding":"0.5.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"deep_extend_project","cpe5":"deep_extend","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-3750","qid":"940253","title":"AlmaLinux Security Update for nodejs:12 (ALSA-2021:0549)"},{"cve":"CVE-2018-3750","qid":"960803","title":"Rocky Linux Security Update for nodejs:12 (RLSA-2021:0549)"},{"cve":"CVE-2018-3750","qid":"981037","title":"Nodejs (npm) Security Update for deep-extend (GHSA-hr2v-3952-633q)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"support@hackerone.com","DATE_PUBLIC":"2018-05-24T00:00:00","ID":"CVE-2018-3750","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://hackerone.com/reports/311333","refsource":"MISC","url":"https://hackerone.com/reports/311333"}]}},"nvd":{"publishedDate":"2018-07-03 21:29:00","lastModifiedDate":"2018-08-23 13:12:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:deep_extend_project:deep_extend:*:*:*:*:*:node.js:*:*","versionEndIncluding":"0.5.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"3750","Ordinal":"119577","Title":"CVE-2018-3750","CVE":"CVE-2018-3750","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"3750","Ordinal":"1","NoteData":"The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"3750","Ordinal":"2","NoteData":"2018-07-03","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"3750","Ordinal":"3","NoteData":"2018-07-03","Type":"Other","Title":"Modified"}]}}}