Fluid Attacks Database

Description

Prototype Pollution in lodash.defaultsdeep Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	lodash.defaultsdeep	>=0 <4.6.1	4.6.1

Aliases

1. GCVE-GHSA-46fh-8fc5-xcwx

References

1. https://www.npmjs.com/advisories/1070

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.