UNKNOWN npm
Prototype Pollution in lodash.defaultsdeep
GHSA-h5mp-5q4p-ggf5
Published ยท Modified
Description
Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.6.1 or later.
References
Ready to move
Start Securing
Free, no credit card | First findings in minutes