Prototype Pollution Vulnerability in Lodash Affects Multiple Versions
CVE-2020-8203

7.4HIGH

Key Information:

Vendor

Lodash

Status
Lodash
Vendor
CVE Published:
15 July 2020

What is CVE-2020-8203?

A prototype pollution vulnerability exists in Lodash due to improper handling of user input in the _.zipObjectDeep function. This flaw allows an attacker to inject properties into the prototype of an object, leading to potential manipulation of objects and unintended behavior in applications that rely on Lodash for data handling. It is crucial for developers to ensure that versions prior to 4.17.20 are updated to mitigate this risk and maintain the integrity of their applications.

Affected Version(s)

lodash Not Fixed

References

https://hackerone.com/reports/712065
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20200724-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.