You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Prototype Pollution in lodash
High severity
GitHub Reviewed
Published
Feb 7, 2019
to the GitHub Advisory Database
•
Updated Aug 12, 2025
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Learn more on MITRE.
Versions of
lodashbefore 4.17.11 are vulnerable to prototype pollution.The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of
Objectvia{constructor: {prototype: {...}}}causing the addition or modification of an existing property that will exist on all objects.Recommendation
Update to version 4.17.11 or later.
References