Description
Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function ‘merge’ may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update the lodash.merge package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.1
- Patched version(s): 4.6.1
References
Related Issues
- Prototype Pollution in lodash.merge (GHSA-h726-x36v-rx45) - Vulnerability
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 3 - CVE-2025-13465
- Prototype Pollution in lodash.defaultsdeep (GHSA-h5mp-5q4p-ggf5) - Vulnerability
- Prototype Pollution in lodash.defaultsdeep - Vulnerability
- Tags:
- npm
- lodash.merge
Anything's wrong? Let us know Last updated on January 09, 2023