Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash

Join Guy Podjarny, Snyk founder and author of O’Reilly’s latest book on open source security, for a webinar and live discussion on 20th August, 2019.


On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team.

UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to the latest version of lodash.

No official fix for this vulnerability has been published at the time of writing this article. Snyk users are protected by applying a security patch, which is available to about 50,000 vulnerable projects, to remediate the vulnerability in lodash’s latest 4.7.11 version.

lodash javascript library on github

The popular npm library is used by 4.35 million projects on GitHub alone. Just shy of 40k GitHub project stars, the library is downloaded over 80 million times each month. Needless to say, a high severity vulnerability in a library as popular as lodash affects a large proportion of npm users.

Snyk actively opened thousands of automatic fix Pull Requests to its users to remediate the vulnerability. More details on the vulnerability, and what you should do next follows below.

The news of this recent lodash security vulnerability has come to light after only three months since we reported a similar protoype pollution vulnerability in the ever-popular jQuery JavaScript frontend library.

Similar to other prototype pollution vulnerabilities ([1], [2], [3], [4], [5]), an implementation of unsafe recursive JSON merge may result in being able to tamper with JavaScript’s Object which influences other data-types through the prototype chain. The implications of such vulnerabilities can range from property injection to code injection and denial of service, depending on the affected use-case and whether this vulnerability can be exploited.

We have already added the vulnerability to the Snyk database, and if your project is being monitored by Snyk and proves to contain the vulnerable package, you will have already been notified by our routine alerts. If not, you should test your application code repository, to see if it is affected by the vulnerable lodash version.

About lodash security vulnerability

The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. Following is an example of how this vulnerability will impact a JavaScript application:


const mergeFn = require('lodash').defaultsDeep;
const payload = '{"constructor": {"prototype": {"a0": true}}}'

function check() {
    mergeFn({}, JSON.parse(payload));
    if (({})[`a0`] === true) {
        console.log(`Vulnerable to Prototype Pollution via ${payload}`);
    }
  }

check();

After covering the basics of prototype pollutions, we can refer to the actual security fix that Snyk’s engineer Kirill had PRed to the lodash JavaScript library repository on GitHub at https://github.com/lodash/lodash/pull/4336/files:

Snyk PR to fix the prototype pollution security vulnerabilities in lodash

The fix includes a safety check to ensure that we’re not polluting the global object based on a key that is set to constructor. A test case is also added to ensure no future regressions occur.

To read more about prototype pollution vulnerabilities and how they work you’re welcome to review our lodash vulnerability description

Is your JavaScript or Node.js project vulnerable?

By requesting a test report, you consent to us emailing you occasionally about Snyk.
You can unsubscribe at any time, and we will never pass your email onto third parties.

What should I do

  • If you’re already using Snyk to monitor your applications, you will have already automatically protect yourself by applying the aforementioned security patch sent to you as a PR to your affected projects.
  • If you do not use Snyk, you can add your projects, by creating a free account and importing your projects from your code repositories into the Snyk dashboard. Upon seeing the results of your Snyk test scan, you can go ahead and have Snyk create a Pull Request that will remediate your vulnerable lodash library by applying a Snyk patch.
  • There isn’t currently an easy manual fix until a new version of lodash, containing the fix is released, at which point you should upgrade to the new version.

Snyk creates patches for high impact vulnerabilities, such as the case with lodash that affects millions of projects across Node.js and JavaScript ecosystems. All patches are tested rigorously in a process that ensures they apply well on supported versions of the affected library.

More in-depth review of Snyk patching process is on our documentation page at Fixing vulnerabilities and this blog post about Where do security vulnerabilities come from? from Danny Grander, our Chief of Security.

Note: When an official version of lodash is released that contains the fix to this vulnerability, Snyk monitored projects (whether currently patched or not) will automatically be sent a PR with the official library upgrade.

Responsible disclosure

Through the security research conducted by the Snyk team in April, 2019, this and further security vulnerabilities affecting lodash were responsibly disclosed to John Dalton, maintainer of lodash.

The process included a collaboration with John in a private repository to confirm our findings and Snyk’s proposed fixes to remediate the vulnerabilities. Involved in this process was Kirill, one of Snyk’s software engineers, who raised pull requests ([1], [2]) with the fixes to lodash, both of which were merged on June 24th.

We’d like to give John a lot of credit for being so responsive and welcoming our assistance throughout the resolution of this security issue.

lodash npm package by numbers

First published version 7 years ago
Latest version: 4.7.11 published 10 months ago on September, 2018
Total vulnerabilities discovered to date: 4 (2 high, 2 medium)

lodash npm javascript library dependency health