CVE-2018-3721Modification of Assumed-Immutable Data in Lodash

CWE-471Modification of Assumed-Immutable DataCWE-1321Prototype PollutionCWE-20Improper Input Validation10 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 51.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LodashHackerone Lodash Node ModuleNetapp System Manager
Timeline
PublishedJun 7
Latest updateJul 26

Description

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5hackerone/lodash_node_moduleVersions before 4.17.5
NVDlodash/lodash< 4.17.5
npmlodash/lodash< 4.17.5

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Prototype Pollution in lodash2018-07-26
GHSA
Prototype Pollution in lodash2018-07-26
OSV
CVE-2018-3721: lodash node module before 42018-06-07
CVEList
CVE-2018-3721: lodash node module before 42018-06-07

📋Vendor Advisories

2
Red Hat
lodash: Prototype pollution in utilities function2018-02-15
Debian
CVE-2018-3721: node-lodash - lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...2018

💬Community

3
Bugzilla
CVE-2018-3721 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]2018-02-15
Bugzilla
CVE-2018-3721 lodash: Prototype pollution in utilities function2018-02-15
Bugzilla
CVE-2018-3721 lodash: Prototype pollution in utilities function [fedora-all]2018-02-15
CVE-2018-3721 — Modification of Assumed-Immutable Data | cvebase