PT-2018-16145 · Lodash · Lodash

Holyvier

Published

2018-06-07

Updated

2024-02-16

CVE-2018-3721

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.17.5

Description The issue allows a malicious user to modify the prototype of Object via proto, causing the addition or modification of an existing property that will exist on all objects. This is achieved through the defaultsDeep, merge, and mergeWith functions.

Recommendations Update to version 4.17.5 or later. As a temporary workaround, consider avoiding the use of the defaultsDeep, merge, and mergeWith functions until a patch is applied. Restrict access to these functions to minimize the risk of exploitation.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-471CWE-1321

Related Identifiers

AZL-45420

CVE-2018-3721

GHSA-FVQR-27WR-82FM

Affected Products

Lodash

PT-2018-16145 · Lodash · Lodash

CVE-2018-3721

Weakness Enumeration

Related Identifiers

Affected Products

References · 17