Severity: low

    Prototype Pollution

    lodash

    Overview

    Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

    The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

    Remediation

    Update to version 4.17.5 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory published
      Apr 24th, 2018
    2. reported

      Initial report by Olivier Arteau (HoLyVieR)
      Apr 24th, 2018