Severity: low

Prototype Pollution

lodash

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.5 or later.

Resources

Advisory timeline

  1. published

    Advisory published
    Apr 24th, 2018
  2. reported

    Apr 24th, 2018