Vulnerability
Severity: HIGH (both advisories)
Package: lodash@4.17.21
Affected component: core
Dependency type: transitive (devDependency chain)
Note: Issue #194 already tracks GHSA-r5fr-rjxr-66jc (Code Injection via _.template) for this package. This issue tracks 2 additional HIGH-severity advisories not covered by #194.
Dependency chains:
pmxt-core → @nevuamarkets/poly-websockets (peerDep) → lodash@4.17.21
pmxt-core → @openapitools/openapi-generator-cli (devDep) → inquirer@8.2.7 → lodash@4.17.21
Advisories (both affect lodash ≤4.17.23)
| Advisory |
Description |
| GHSA-xxjr-mmjv-4gpg |
Prototype Pollution Vulnerability in _.unset and _.omit functions — attacker-controlled property paths can pollute Object.prototype, affecting all downstream objects |
| GHSA-f23m-r3pf-42rh |
Prototype Pollution via array path bypass in _.unset and _.omit — a variant of the above using array-encoded paths to bypass naive sanitization |
Fix
Recommended version: No released patch exists for lodash v4 (4.17.21 is the current latest). The lodash v4 line is effectively unmaintained.
Fix command:
# Upgrade upstream packages to resolve lodash transitively, or replace lodash
npm update @nevuamarkets/poly-websockets @openapitools/openapi-generator-cli
Long-term: consider replacing lodash with maintained alternatives (lodash-es, just-* utilities, or native ES methods).
Risk Assessment
Prototype Pollution in _.unset / _.omit is exploitable if attacker-controlled keys (e.g., __proto__, constructor) are passed as property paths to these functions. In the @nevuamarkets/poly-websockets runtime path, this is a concern if market API responses include object keys that are later passed to lodash path utilities. Polluting Object.prototype can cause widespread behavior changes across the entire Node.js process, potentially enabling privilege escalation, authentication bypass, or DoS.
Found by automated dependency vulnerability scan
Vulnerability
Severity: HIGH (both advisories)
Package: lodash@4.17.21
Affected component: core
Dependency type: transitive (devDependency chain)
Dependency chains:
Advisories (both affect lodash ≤4.17.23)
_.unsetand_.omitfunctions — attacker-controlled property paths can polluteObject.prototype, affecting all downstream objects_.unsetand_.omit— a variant of the above using array-encoded paths to bypass naive sanitizationFix
Recommended version: No released patch exists for lodash v4 (4.17.21 is the current latest). The lodash v4 line is effectively unmaintained.
Fix command:
Long-term: consider replacing lodash with maintained alternatives (
lodash-es,just-*utilities, or native ES methods).Risk Assessment
Prototype Pollution in
_.unset/_.omitis exploitable if attacker-controlled keys (e.g.,__proto__,constructor) are passed as property paths to these functions. In the@nevuamarkets/poly-websocketsruntime path, this is a concern if market API responses include object keys that are later passed to lodash path utilities. PollutingObject.prototypecan cause widespread behavior changes across the entire Node.js process, potentially enabling privilege escalation, authentication bypass, or DoS.Found by automated dependency vulnerability scan