Severity: low

Prototype Pollution



Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.


Update to version 4.17.5 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 24th, 2018
  2. reported

    Initial report by Olivier Arteau (HoLyVieR)
    Apr 24th, 2018