Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4xc9-xhrj-v574

GitHub Security Advisory

Prototype Pollution in lodash

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

## Recommendation

Update to version 4.17.11 or later.

Affected Packages

npm lodash
Affected versions: 0 (fixed in 4.17.11)
RubyGems lodash-rails
Affected versions: 0 (fixed in 4.17.11)

Related CVEs

CVE-2018-16487

Key Information

GHSA ID
GHSA-4xc9-xhrj-v574
Published
February 7, 2019 6:16 PM
Last Modified
August 12, 2025 9:36 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
lodash
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.