The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.

## Recommendation

Update to version 4.17.5 or later.

Affected Packages

npm lodash

Affected versions: 0 (fixed in 4.17.5)

Related CVEs

CVE-2018-3721

Key Information

GHSA ID

GHSA-fvqr-27wr-82fm

Published

July 26, 2018 3:14 PM

Last Modified

April 22, 2024 7:49 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

lodash

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.