Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574)

Severity:: High

Description

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are ‘defaultsDeep’, ‘merge’, and ‘mergeWith’ which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update the lodash package to the latest compatible version. Followings are version details:

Affected version(s): < 4.17.11
Patched version(s): 4.17.11

References

GHSA-4xc9-xhrj-v574
hackerone.com
security.netapp.com
CVE-2018-16487
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 4 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203

Tags:: npm; lodash

Anything's wrong? Let us know Last updated on August 12, 2025