EIQ-2019-0030#

ID	EIQ-2019-0030
CVE	-
Description	lodash.mergewith enables prototype pollution
Date	01 Aug 2019
Severity	3 - HIGH
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.7.0
Assessment	lodash.mergewith is the lodash `_.mergewith` method exported as a Node.js module. versions 4.6.1 and earlier make it possible for an attacker to exploit a vulnerability through the `mergewith` function. An attacker could add or modify object prototype properties of `Object.prototype` with a constructor payload. Modified properties are propagated through inheritance to all objects. An attacker could leverage prototype pollution by remotely executing arbitrary code, by injecting properties, or by launching a denial of service (DoS) attack. DoS is the most likely type of attack when exploiting this vulnerability.
Mitigation	Upgrade lodash.mergewith to version 4.6.2 or later. At the moment, it is not possible to globally upgrade lodash.mergewith, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.
Affected versions	2.4.0 to 2.6.0 included.
Notes	For more information, see: npm security advisory about the vulnerability GitHub PR with the fix