Vulnerability identifier: #VU37072

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-3721

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Lodash
Web applications / JS libraries

Vendor: Lodash

Description

The vulnerability allows a remote authenticated user to manipulate data.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Lodash: 4.17.0 - 4.17.4

---

Fixed software versions

CPE

• cpe:2.3:a:lodash:lodash.js:4.17.0:*:*:*:*:*:*:*

External links
http://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
http://hackerone.com/reports/310443
http://security.netapp.com/advisory/ntap-20190919-0004/

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?