You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Overview
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Remediation
Update to version 4.17.12 or later.
The text was updated successfully, but these errors were encountered:
You need to upgrade lodash in your package-lock.json. Mongoose depends on async@2.6.2, which in turn depends on lodash@^4.7.11, so a clean npm install without a lockfile should install lodash@4.17.15
mongoose version : "mongoose": "^5.6.9"
path impacted : mongoose > async > lodash
A security warning is raised by npm.
Overview
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Remediation
Update to version 4.17.12 or later.
The text was updated successfully, but these errors were encountered: