EIQ-2019-0028



ID

EIQ-2019-0028

CVE

CVE-2019-10744

Description

lodash enables prototype pollution

Date

01 Aug 2019

Severity

3 - HIGH

CVSSv3 score

7.3

(source: Snyk. NIST NVD has issued no CVSS score as of this date)

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

The lodash Node.js module versions 4.17.11 and earlier make it possible for an attacker to exploit an uncontrolled resource consumption vulnerability through the defaultsDeep function.
An attacker could add or modify object prototype properties of Object.prototype with a constructor payload.
Modified properties are propagated through inheritance to all objects.

An attacker could leverage prototype pollution by remotely executing arbitrary code, by injecting properties, or by launching a denial of service (DoS) attack.
DoS is the most likely type of attack when exploiting this vulnerability.

This vulnerability is a false positive: t his sub-dependency is never packaged in our production code.

Mitigation

Upgrade lodash to version 4.17.12 or later.

At the moment, it is not possible to globally upgrade lodash, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0

In release notes 2.6.0