EIQ-2019-0006#

ID	EIQ-2019-0006
CVE	CVE-2018-16487
Description	lodash enables prototype pollution
Date	05 Feb 2019
Severity	4 - CRITICAL
CVSSv3 score	9.8
Status	✅ 2.4.0
Assessment	The lodash Node.js module versions 4.17.10 and earlier make it possible for an attacker to use the the `defaultsDeep`, `merge`, and `mergeWith` functions to add or modify object prototype properties via the `__proto__` accessor property. Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.
Mitigation	Update to lodash 4.17.11 or later.
Affected versions	2.1.0 to 2.3.4 included.
Notes	For more information, see: CVE-2018-16487, Mitre CVE-2018-16487, HackerOne report GitHub commit with the fix