CVE-2018-16487

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.17.11

Description A prototype pollution issue was discovered in the merge, mergeWith, and defaultsDeep functions of the lodash library. This issue can be exploited to add or modify properties of Object.prototype. The vulnerability can be triggered by a malicious user using {constructor: {prototype: {...}}} to modify the prototype of Object, resulting in the addition or modification of an existing property that will exist on all objects. The exploitation of this issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations Update to version 4.17.11 or later. As a temporary workaround, consider avoiding the use of the merge, mergeWith, and defaultsDeep functions until a patch is available.