Skip to content

Prototype Pollution in lodash

critical severity Published Jul 10, 2019 • Updated Aug 17, 2021

Package

npm lodash (npm)

Affected versions

< 4.17.12

Patched versions

4.17.12

Package

npm lodash-amd (npm)

Affected versions

< 4.17.13

Patched versions

4.17.13

Package

npm lodash-es (npm)

Affected versions

< 4.17.14

Patched versions

4.17.14

Package

npm lodash.defaultsdeep (npm)

Affected versions

< 4.6.1

Patched versions

4.6.1

Package

npm lodash.merge (npm)

Affected versions

< 4.6.2

Patched versions

4.6.2

Package

npm lodash.mergewith (npm)

Affected versions

< 4.6.2

Patched versions

4.6.2

Package

npm lodash.template (npm)

Affected versions

< 4.5.0

Patched versions

4.5.0

Description

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

References

CVE ID

CVE-2019-10744

CVSS Score

9.1 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H