npm

Severity: high

Prototype Pollution

lodash

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.11 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Feb 13th, 2019
  2. reported

    Reported by asgerf
    Feb 13th, 2019