Lodash Prototype Pollution


TL;DR:

# lodash >=4
$ npm i [email protected]

# lodash 3
$ npm i remarkablemark/lodash#3.10.2

Background

Prototype Pollution is a security vulnerability that allows attackers to inject data in a JavaScript object (see report 1, report 2, and paper).

Frontend

On the frontend (browser), Prototype Pollution can lead to vulnerabilities like:

Backend

On the backend (Node.js), Prototype Pollution can lead to:

Methods

The vulnerable Lodash methods are:

  • defaultsDeep
  • merge
  • mergeWith
  • set
  • setWith
  • zipObjectDeep

Fix

lodash 4

The fix for lodash version 4 is to upgrade to >=4.17.15:

npm:

$ npm install [email protected]

Yarn:

$ yarn add [email protected]

lodash 3

Although there’s a fix for lodash version 3, it hasn’t been published to npm.

Given that lodash hasn’t published version 3.x.x since 2015, I created a repository that has the fix:

$ npm install remarkablemark/lodash#3.10.2


If you enjoyed this post, please consider supporting this site!