Lodash
CVE-2018-3721
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1,716 npm packages depend on lodash (646 direct, 1,094 indirect)
Ecosystem-wide dependent count for version 4.17.5.
DescriptionNVD
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
AnalysisAI
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-471. lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. Affected products include: Lodash, Netapp Active Iq Unified Manager, Netapp System Manager. Version information: before 4.17.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Server-side code injection in Lodash's _.template function (lodash, lodash-es, lodash-amd and lodash.template, versions
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. Rated critical severity (CVSS 9.1), this vu
Lodash versions up to 4.17.22 is affected by improperly controlled modification of object prototype attributes (prototyp
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Rated high severity (CVSS 7.4), this vul
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVS
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. Rated medium severity (CVSS 6.5), th
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today