EIQ-2019-0006



ID

EIQ-2019-0006

CVE

CVE-2018-16487

Description

lodash enables prototype pollution

Date

05 Feb 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0

Assessment

The lodash Node.js module versions 4.17.10 and earlier make it possible for an attacker to use the the defaultsDeep, merge, and mergeWith functions to add or modify object prototype properties via the __proto__ accessor property.
Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.

Mitigation

Update to lodash 4.17.11 or later.

Affected versions

2.1.0 to 2.3.4 included.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.3.3

In release notes 2.3.4

In release notes 2.4.0