Severity: high

    Prototype Pollution

    lodash.merge

    Overview

    Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

    Remediation

    Update to version 4.6.1 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jul 15th, 2019
    2. reported

      Reported by Olivier Arteau (HoLyVieR)
      Jul 15th, 2019