CVE-2018-16487 — Uncontrolled Resource Consumption in Lodash

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation10 documents7 sources

Severity

5.6MEDIUMNVD

EPSS

0.5%

top 35.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lodash Hackerone Lodash

Timeline

PublishedFeb 1

Latest updateFeb 7

Description

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages3 packages

▶NVDlodash/lodash< 4.17.11

▶npmlodash/lodash< 4.17.11

▶CVEListV5hackerone/lodash<4.7.11

🔴Vulnerability Details

GHSA

Prototype Pollution in lodash↗2019-02-07

▶

OSV

Prototype Pollution in lodash↗2019-02-07

▶

CVEList

CVE-2018-16487: A prototype pollution vulnerability was found in lodash <4↗2019-02-01

▶

OSV

CVE-2018-16487: A prototype pollution vulnerability was found in lodash <4↗2019-02-01

▶

📋Vendor Advisories

Red Hat

lodash: Prototype pollution in utilities function↗2018-10-30

▶

Debian

CVE-2018-16487: node-lodash - A prototype pollution vulnerability was found in lodash <4.17.11 where the funct...↗2018

▶

💬Community

Bugzilla

CVE-2018-16487 lodash: Prototype pollution in utilities function↗2019-02-01

▶

Bugzilla

CVE-2018-16487 lodash: Prototype pollution in utilities function [fedora-all]↗2019-02-01

▶

Bugzilla

CVE-2018-16487 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]↗2019-02-01

▶