Prototype Pollution in lodash

2019-02-07T18:16:48
ID GHSA-4XC9-XHRJ-V574
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T18:35:37

Description

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.