Modification of Assumed-Immutable Data Vulnerability in lodash by lodash
CVE-2018-3721

6.5MEDIUM

Key Information:

Vendor: Hackerone
Status: Lodash Node Module
Vendor: CVE Published:; 7 June 2018

What is CVE-2018-3721?

The lodash library, specifically versions prior to 4.17.5, contains a vulnerability that allows for the modification of object prototypes through the 'defaultsDeep', 'merge', and 'mergeWith' functions. This issue can be exploited by an attacker to alter the prototype of the 'Object' class via the 'proto' property. As a result, unauthorized modifications or additions can be made to properties that will affect all instances of objects, posing a significant risk for applications relying on lodash for object manipulation and security.

Affected Version(s)

lodash node module Versions before 4.17.5

References

https://hackerone.com/reports/310443

x_refsource_MISC

https://github.com/lodash/lodash/commit/d8e069cc3410082e4...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20190919-0004/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2018
Vulnerability Reserved
Dec 28, 2017

Hackerone

What is CVE-2018-3721?

Affected Version(s)

References

CVSS V3.1

Timeline