@lexical/extension is vulnerable to Prototype Pollution
48
Medium Risk
The @lexical/extension package merges theme configuration with deepThemeMergeInPlace, which recursively copies keys from a source object. A __proto__ key produced by JSON.parse is followed during the merge, so merging attacker-influenced theme JSON pollutes the global Object.prototype. Polluted prototype properties then appear on all objects in the application, enabling tampering or denial of service. The fix skips __proto__, constructor, and prototype keys and copies only own properties.
You are affected if you are using a version that falls within the vulnerable range and your application merges attacker-influenced JSON into the editor theme.
@lexical/extension is vulnerable to Prototype Pollution in versions 0.36.0 - 0.45.0.
Upgrade the @lexical/extension library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant