TL;DR:
# lodash >=4 $ npm i [email protected] # lodash 3 $ npm i remarkablemark/lodash#3.10.2
Background
Prototype Pollution is a security vulnerability that allows attackers to inject data in a JavaScript object (see report 1, report 2, and paper).
Frontend
On the frontend (browser), Prototype Pollution can lead to vulnerabilities like:
Backend
On the backend (Node.js), Prototype Pollution can lead to:
- Denial of Service (DoS)
- Remote Code Execution (RCE)
Methods
The vulnerable Lodash methods are:
defaultsDeep
merge
mergeWith
set
setWith
zipObjectDeep
Fix
lodash 4
The fix for lodash version 4 is to upgrade to >=4.17.15
:
npm:
$ npm install [email protected]
Yarn:
$ yarn add [email protected]
lodash 3
Although there’s a fix for lodash version 3, it hasn’t been published to npm.
Given that lodash hasn’t published version 3.x.x
since 2015, I created a repository that has the fix:
$ npm install remarkablemark/lodash#3.10.2