Description
Versions of lodash.mergewith before 4.6.1 are vulnerable to Prototype Pollution. The function ‘mergeWith’ may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update the lodash.mergewith package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.1
- Patched version(s): 4.6.1
References
Related Issues
- Prototype Pollution in lodash.mergewith - Vulnerability
- Prototype Pollution in lodash.merge (GHSA-h726-x36v-rx45) - Vulnerability
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 2 - CVE-2025-13465
- Tags:
- npm
- lodash.mergewith
Anything's wrong? Let us know Last updated on January 09, 2023