Fix CVE–2018–16487

[debricked]

CVE–2018–16487

Vulnerability details

Description

GitHub

Prototype Pollution in lodash

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

NVD

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

GitLab Advisory Database (Open Source Edition)

Uncontrolled Resource Consumption

A prototype pollution vulnerability was found in lodash where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    npm/lodash/CVE-2018-16487.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    NVD - CVE-2018-16487
    Prototype Pollution in lodash · CVE-2018-16487 · GitHub Advisory Database · GitHub
    HackerOne
    September 2019 Lodash Vulnerabilities in NetApp Products | NetApp Product Security
    Changelog · lodash/lodash Wiki · GitHub
    Prototype Pollution in lodash · CVE-2018-16487 · GitHub Advisory Database · GitHub
    Ensure Object.prototype is not augmented by _.merge. · lodash/lodash@90e6199 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE