Severity: high

Prototype Pollution



Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.


Update to version 4.6.2 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jul 15th, 2019
  2. reported

    Reported by asgerf
    Jul 15th, 2019