EIQ-2019-0030



ID

EIQ-2019-0030

CVE

-

Description

lodash.mergewith enables prototype pollution

Date

01 Aug 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

lodash.mergewith is the lodash _.mergewith method exported as a Node.js module.

versions 4.6.1 and earlier make it possible for an attacker to exploit a vulnerability through the mergewith function.
An attacker could add or modify object prototype properties of Object.prototype with a constructor payload.
Modified properties are propagated through inheritance to all objects.

An attacker could leverage prototype pollution by remotely executing arbitrary code, by injecting properties, or by launching a denial of service (DoS) attack.
DoS is the most likely type of attack when exploiting this vulnerability.

Mitigation

Upgrade lodash.mergewith to version 4.6.2 or later.

At the moment, it is not possible to globally upgrade lodash.mergewith, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

2.4.0 to 2.6.0 included.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0

In release notes 2.7.0