Skip to content

Prototype Pollution in lodash

Low severity GitHub Reviewed Published Jul 26, 2018 • Updated Jan 8, 2021

Package

npm lodash (npm)

Affected versions

< 4.17.5

Patched versions

4.17.5

Description

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

References

CVE ID

CVE-2018-3721