Skip to content

Prototype Pollution in lodash.merge

high severity Published Sep 3, 2020 • Updated Sep 28, 2021

Package

npm lodash.merge (npm)

Affected versions

< 4.6.1

Patched versions

4.6.1

Description

Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

References

GHSA ID

GHSA-2m96-9w4j-wgv7