Modification of Assumed-Immutable Data Vulnerability in lodash by lodash
CVE-2018-3721

6.5MEDIUM

Key Information:

Vendor

Hackerone

Status
Lodash Node Module
Vendor
CVE Published:
7 June 2018

What is CVE-2018-3721?

The lodash library, specifically versions prior to 4.17.5, contains a vulnerability that allows for the modification of object prototypes through the 'defaultsDeep', 'merge', and 'mergeWith' functions. This issue can be exploited by an attacker to alter the prototype of the 'Object' class via the 'proto' property. As a result, unauthorized modifications or additions can be made to properties that will affect all instances of objects, posing a significant risk for applications relying on lodash for object manipulation and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lodash node module Versions before 4.17.5

References

https://hackerone.com/reports/310443
x_refsource_MISC
https://github.com/lodash/lodash/commit/d8e069cc3410082e4...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20190919-0004/
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.