Prototype Pollution in lodash
Published: July 15, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-8203 (NVD)
- GHSA: GHSA-p6mc-m468-83gw
GEM
SEVERITY
UNAFFECTED VERSIONS
< 3.7.0
PATCHED VERSIONS
>= 4.17.19
DESCRIPTION
Versions of lodash prior to 4.17.19 are vulnerable to Prototype
Pollution. The functions pick, set, setWith, update,
updateWith, and zipObjectDeep allow a malicious user to
modify the prototype of Object if the property identifiers are
user-supplied. Being affected by this issue requires manipulating
objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2020-8203
- https://hackerone.com/reports/712065
- https://github.com/lodash/lodash/issues/4744
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://github.com/lodash/lodash/issues/4874
- https://github.com/github/advisory-database/pull/2884
- https://hackerone.com/reports/864701
- https://github.com/lodash/lodash/wiki/Changelog#v41719
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://security.netapp.com/advisory/ntap-20200724-0006
- https://github.com/advisories/GHSA-p6mc-m468-83gw