EIQ-2019-0028#
ID |
EIQ-2019-0028 |
|---|---|
CVE |
|
Description |
lodash enables prototype pollution |
Date |
01 Aug 2019 |
Severity |
3 - HIGH |
CVSSv3 score |
7.3 (source: Snyk. NIST NVD has issued no CVSS score as of this date) |
Status |
✅ All versions |
Assessment |
The lodash Node.js module versions 4.17.11 and earlier make it possible for an attacker to exploit an uncontrolled resource consumption vulnerability through the defaultsDeep function. An attacker could add or modify object prototype properties of Object.prototype with a constructor payload. Modified properties are propagated through inheritance to all objects. An attacker could leverage prototype pollution by remotely executing arbitrary code, by injecting properties, or by launching a denial of service (DoS) attack. DoS is the most likely type of attack when exploiting this vulnerability. Note This vulnerability is a false positive: this sub-dependency is never packaged in our production code. |
Mitigation |
Upgrade lodash to version 4.17.12 or later. At the moment, it is not possible to globally upgrade lodash, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. |
Affected versions |
None |
Notes |
For more information, see: |