Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ2ZmgtOGZjNS14Y3d4

High
Permalink JSON

Prototype Pollution in lodash.defaultsdeep

Affected Packages Affected Versions Fixed Versions
npm:lodash.defaultsdeep
PURL: pkg:npm/lodash.defaultsdeep
< 4.6.1 4.6.1
936 Dependent packages
396,576 Dependent repositories
5,562,939 Downloads last month

Affected Version Ranges

All affected versions

3.10.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.5.0, 4.5.1, 4.6.0

All unaffected versions

4.6.1

Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

References:

Identifiers

GHSA-46fh-8fc5-xcwx

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

about 5 years ago

Updated

over 2 years ago

API

JSON