Severity: high

Prototype Pollution

lodash.merge

Overview

Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.6.1 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jul 15th, 2019
  2. reported

    Reported by Olivier Arteau (HoLyVieR)
    Jul 15th, 2019