Nomenclature Predictably Misunderstood
Severity: high

Prototype Pollution



Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.


Update to version 4.6.1 or later.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Jul 15th, 2019
  2. reported

    Reported by asgerf
    Jul 15th, 2019