CVE-2019-10744

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.17.12

Description The issue is related to the defaultsDeep function in the lodash library, which can be tricked into adding or modifying properties of Object.prototype using a constructor payload. This is due to insufficient input validation, allowing a remote attacker to cause a denial of service, execute arbitrary JavaScript code, or elevate their privileges. The vulnerability can be exploited by a malicious user modifying the prototype of Object via {constructor: {prototype: {...}}}, causing the addition or modification of an existing property that will exist on all objects.

Recommendations Update to version 4.17.12 or later. As a temporary workaround, consider restricting the use of the defaultsDeep function until a patch is available. Avoid using the constructor property in the affected defaultsDeep function to minimize the risk of exploitation.