Severity: high

    Prototype Pollution



    Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.


    Update to version 4.6.2 or later.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Jul 15th, 2019
    2. reported

      Reported by asgerf
      Jul 15th, 2019