Vulnerability identifier: #VU37072
Vulnerability risk: Medium
Exploitation vector: Network
The vulnerability allows a remote authenticated user to manipulate data.
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Install update from vendor's website.
Vulnerable software versions
Lodash: 4.17.0 - 4.17.4
Fixed software versions
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?