Lodash npm - Vulnerabilities & Security Analysis

lodash (latest)

Published 19 Jul, 2018

Known vulnerabilities0

Vulnerable paths0

Dependencies0

No known vulnerabilities in lodash

Security wise, lodash seems to be a safe package to use.
Over time, new vulnerabilities may be disclosed on lodash and other packages. To easily find, fix and prevent such vulnerabilties, protect your repos with Snyk!

Vulnerable versions of lodash

Older versions of lodash that have had vulnerabilities.

Fixed in 4.17.5

Prototype Pollution

low severity

Vulnerable module: lodash
Introduced through: lodash@4.17.4

Detailed paths

Introduced through: lodash@4.17.4

Overview

lodash is a javaScript utility library delivering modularity, performance & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

PoC by Olivier Arteau (HoLyVieR)

var _= require('lodash');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
_.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Remediation

Upgrade lodash to version 4.17.5 or higher.

References

More about this vulnerability

lodash vulnerabilities