EIQ-2019-0028

ID	EIQ-2019-0028
CVE	CVE-2019-10744
Description	lodash enables prototype pollution
Date	01 Aug 2019
Severity	3 - HIGH
CVSSv3 score	7.3 (source: Snyk. NIST NVD has issued no CVSS score as of this date)
Status	All versions
Assessment	The lodash Node.js module versions 4.17.11 and earlier make it possible for an attacker to exploit an uncontrolled resource consumption vulnerability through the `defaultsDeep` function. An attacker could add or modify object prototype properties of `Object.prototype` with a `constructor` payload. Modified properties are propagated through inheritance to all objects. An attacker could leverage prototype pollution by remotely executing arbitrary code, by injecting properties, or by launching a denial of service (DoS) attack. DoS is the most likely type of attack when exploiting this vulnerability. This vulnerability is a false positive: t his sub-dependency is never packaged in our production code.
Mitigation	Upgrade lodash to version 4.17.12 or later. At the moment, it is not possible to globally upgrade lodash, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.
Affected versions	None
Notes	For more information, see: CVE-2019-10744, Mitre report CVE-2019-10744, Snyk report npm security advisory about the vulnerability Snyk blog post with analysis and exploit of the vulnerability The Hacker News blog post with analysis and exploit of the vulnerability GitHub issue GitHub PR with the fix - 1 GitHub PR with the fix - 2

< Back to all security issues and mitigation actions

In release notes 2.5.0

In release notes 2.6.0