CVE-2018-16487
published 2019-02-01CVE-2018-16487: A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying…
PriorityP428medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
EPSS
1.55%
72.0th percentile
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axios | axios | < 0.32.0 | 0.32.0 |
| axios | axios | < 0.32.0 | 0.32.0 |
| axios | axios | — | — |
| axios | axios | >= 0 < 0.32.0 | 0.32.0 |
| axios | axios | >= 1.0.0 < 1.16.0 | 1.16.0 |
| axios | axios | >= 1.0.0 < 1.16.0 | 1.16.0 |
| debian | node-lodash | < node-lodash 4.17.11+dfsg-1 (bookworm) | node-lodash 4.17.11+dfsg-1 (bookworm) |
| lodash | lodash | < 4.17.11 | 4.17.11 |
| lodash | lodash | >= 0 < 4.17.11 | 4.17.11 |
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa5.6MEDIUM
osv5.6MEDIUM
vendor_debian5.6LOW
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
lodash: Prototype pollution in utilities function
vendor_redhat·2018-10-30·CVSS 5.6
CVE-2018-16487 [MEDIUM] CWE-20 lodash: Prototype pollution in utilities function
lodash: Prototype pollution in utilities function
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Package: openshift-logging/kibana6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Will not fix
Package: nodejs-lodash (Red Hat Mobile Application Platform 4) - Out of support scope
Package: nodejs-lodash (Red Hat OpenShift Container Platform 3.10) - Out of support scope
Package: kibana (Red Hat OpenShift Container Platform 3.11) - Will not fix
Package: openshift3/grafana (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: openshift3/ose-console (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: nodejs-lodash
Debian
CVE-2018-16487: node-lodash - A prototype pollution vulnerability was found in lodash <4.17.11 where the funct...
vendor_debian·2018·CVSS 5.6
CVE-2018-16487 [MEDIUM] CVE-2018-16487: node-lodash - A prototype pollution vulnerability was found in lodash <4.17.11 where the funct...
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Scope: local
bookworm: resolved (fixed in 4.17.11+dfsg-1)
bullseye: resolved (fixed in 4.17.11+dfsg-1)
forky: resolved (fixed in 4.17.11+dfsg-1)
sid: resolved (fixed in 4.17.11+dfsg-1)
trixie: resolved (fixed in 4.17.11+dfsg-1)
GHSA
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
ghsa·2026-05-29·CVSS 5.6
CVE-2026-44490 [MEDIUM] CWE-1321 axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
## Summary
axios `1.15.2` exposes two read-side prototype-pollution gadgets. When `Object.prototype` is polluted by an upstream dependency in the same process (e.g. lodash `_.merge` / [CVE-2018-16487](https://nvd.nist.gov/vuln/detail/CVE-2018-16487)), axios silently picks up the polluted values:
1. **Header injection** - `lib/utils.js` line 406 builds `merge()`'s accumulator as `result = {}`, so `result[targetKey]` (line 414) walks `Object.prototype` and the polluted bucket's own keys are copied into the merged headers and ride out on the wire.
2. **Crash DoS** - `lib/core/mergeConfig.js` line 26 builds the `hasOwnProperty` descriptor as a plain-object literal. `Object.defineProperty` rea
GHSA
Prototype Pollution in lodash
ghsa·2019-02-07
CVE-2018-16487 [HIGH] CWE-400 Prototype Pollution in lodash
Prototype Pollution in lodash
Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.11 or later.
OSV
Prototype Pollution in lodash
osv·2019-02-07
CVE-2018-16487 [HIGH] Prototype Pollution in lodash
Prototype Pollution in lodash
Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.11 or later.
OSV
CVE-2018-16487: A prototype pollution vulnerability was found in lodash <4
osv·2019-02-01·CVSS 5.6
CVE-2018-16487 [MEDIUM] CVE-2018-16487: A prototype pollution vulnerability was found in lodash <4
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44490 axios: Axios: Information disclosure and denial of service due to prototype pollution
bugzilla·2026-06-11·CVSS 5.6
CVE-2026-44490 [MEDIUM] CVE-2026-44490 axios: Axios: Information disclosure and denial of service due to prototype pollution
CVE-2026-44490 axios: Axios: Information disclosure and denial of service due to prototype pollution
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set vi
Bugzilla
CVE-2018-16487 lodash: Prototype pollution in utilities function
bugzilla·2019-02-01·CVSS 5.6
CVE-2018-16487 [MEDIUM] CVE-2018-16487 lodash: Prototype pollution in utilities function
CVE-2018-16487 lodash: Prototype pollution in utilities function
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
References:
https://hackerone.com/reports/380873
Upstream Patch:
https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
Discussion:
Created lodash tracking bugs for this issue:
Affects: fedora-all [bug 1671879]
Created nodejs-lodash tracking bugs for this issue:
Affects: epel-all [bug 1671880]
---
rh-nodejs8-nodejs does not install modules that export the vulnerable functions, however they may be used internally.
---
This vulnerability is out of security support scope for the following product:
*
Bugzilla
CVE-2018-16487 lodash: Prototype pollution in utilities function [fedora-all]
bugzilla·2019-02-01·CVSS 5.6
CVE-2018-16487 [MEDIUM] CVE-2018-16487 lodash: Prototype pollution in utilities function [fedora-all]
CVE-2018-16487 lodash: Prototype pollution in utilities function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2018-16487 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
bugzilla·2019-02-01·CVSS 5.6
CVE-2018-16487 [MEDIUM] CVE-2018-16487 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
CVE-2018-16487 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
arXiv
Vulnerability Analysis of 2500 Docker Hub Images
arxiv_fulltext·2020-06-11
Vulnerability Analysis of 2500 Docker Hub Images
Vulnerability Analysis of 2500 Docker Hub Images
Katrine Wist
Dep. of Inf. Sec. and Comm. Techn.
Norwegian University of Science
and Technology (NTNU), Norway
[email protected]
Malene Helsem
Dep. of Inf. Sec. and Comm. Techn.
Norwegian University of Science
and Technology (NTNU), Norway
[email protected]
Danilo Gligoroski
Dep. of Inf. Sec. and Comm. Techn.
Norwegian University of Science
and Technology (NTNU), Norway
[email protected]
## Abstract
The use of container technology has skyrocketed during the last few years, with Docker as the leading container platform. Docker's online repository for publicly available container images, called Docker Hub, hosts over 3.5 million images at the time of writing, making it the world's largest community of container images. We pe
2019-02-01
Published