Lodash Prototype Pollution

Blog Edit

TL;DR: fix for lodash >= 4:

npm i lodash@latest

Fix for lodash 3:

npm i remarkablemark/lodash#3.10.2

Background

Prototype Pollution is a security vulnerability that allows attackers to inject data in a JavaScript object (see report 1, report 2, and paper).

Frontend

On the frontend (browser), Prototype Pollution can lead to vulnerabilities like:

Backend

On the backend (Node.js), Prototype Pollution can lead to:

Methods

The vulnerable Lodash methods are:

  • defaultsDeep
  • merge
  • mergeWith
  • set
  • setWith
  • zipObjectDeep

Fix

lodash 4

The fix for lodash version 4 is to upgrade to >=4.17.15:

npm:

npm install lodash@latest

Yarn:

yarn add lodash@latest

lodash 3

Although there’s a fix for lodash version 3, it hasn’t been published to npm.

Given that lodash hasn’t published version 3.x.x since 2015, I created a repository that has the fix:

npm install remarkablemark/lodash#3.10.2

Please support this site and join our Discord!