Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| lodash(npm) | 0 | 4.17.12 | N/A |
| lodash-es(npm) | 0 | 4.17.14 | N/A |
| lodash-amd(npm) | 0 | 4.17.13 | N/A |
| lodash.defaultsdeep(npm) | 0 | 4.6.1 | N/A |
| lodash-rails(RubyGems) | 0 | 4.17.12 | N/A |
CVSS Metrics
