Prototype Pollution in lodash - lodash

Severity:: High

Description

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are ‘defaultsDeep’, ‘merge’, and ‘mergeWith’ which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update the lodash package to the latest compatible version. Followings are version details:

Affected version(s): < 4.17.11
Patched version(s): 4.17.11

References

GHSA-4xc9-xhrj-v574
hackerone.com
security.netapp.com
CVE-2018-16487
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash - CVE-2018-3721
Prototype Pollution in lodash - lodash - GHSA-jf85-cpcp-j695 - CVE-2019-10744
Prototype Pollution in lodash - lodash-amd - CVE-2019-10744
Prototype Pollution in lodash - lodash.defaultsdeep - CVE-2019-10744

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; lodash

Anything's wrong? Let us know Last updated on August 12, 2025