Intel

AIKIDO-2026-825669

@lexical/extension is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

48

Medium Risk

This Affects:

JS@lexical/extension
0.36.0 - 0.45.0
Fixed in 0.46.0
Are you affected? Scan for Free

TL;DR

The @lexical/extension package merges theme configuration with deepThemeMergeInPlace, which recursively copies keys from a source object. A __proto__ key produced by JSON.parse is followed during the merge, so merging attacker-influenced theme JSON pollutes the global Object.prototype. Polluted prototype properties then appear on all objects in the application, enabling tampering or denial of service. The fix skips __proto__, constructor, and prototype keys and copies only own properties.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application merges attacker-influenced JSON into the editor theme.

Background info

@lexical/extension is vulnerable to Prototype Pollution in versions 0.36.0 - 0.45.0.

How to fix this

Upgrade the @lexical/extension library to the patch version.