Fluid Attacks Database

Description

Prototype Pollution in lodash Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	lodash-rails	>=0 <4.17.11	4.17.11
npm	lodash	>=0 <4.17.11	4.17.11
debian 11	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
debian 12	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
debian 14	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
debian 13	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1

Aliases

1. CVE-2018-164872. NVD-2018-164873. OSV-2018-164874. OSV-DEBIAN-2018-164875. GCVE-2018-164876. SECURITY-TRACKER-CVE-2018-16487

References

1. https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad2. https://hackerone.com/reports/3808733. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml4. https://security.netapp.com/advisory/ntap-20190919-0004