EIQ-2019-0016



ID

EIQ-2019-0016

CVE

CVE-2018-3721

Description

lodash enables prototype pollution

Date

22 Mar 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0

Assessment

The lodash Node.js module versions 4.17.4 and earlier make it possible for an attacker to exploit a Modification of Assumed-Immutable Data (MAID) vulnerability through the defaultsDeep, merge, and mergeWith functions.
In this way, an attacker could add or modify object prototype properties via the __proto__ accessor property.
Modified properties are propagated through inheritance to all objects.

Mitigation

Update to lodash 4.17.11 or later.

Affected versions

2.3.4 and earlier.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.3.4

In release notes 2.4.0