MidnightBSD

Advisories for lodash

CVE-2018-16487 MEDIUM

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
lodash lodash *
CVE-2018-3721 MEDIUM

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-471,CWE-1321,

Products Affected

Vendor Product Version
lodash lodash *
netapp active_iq_unified_manager -
netapp system_manager 9.0
CVE-2019-1010266 MEDIUM

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-770,

Products Affected

Vendor Product Version
lodash lodash *
CVE-2019-10744 MEDIUM

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
f5 big-ip_fraud_protection_service *
f5 big-ip_webaccelerator *
netapp active_iq_unified_manager -
netapp service_level_manager -
f5 big-ip_application_security_manager *
f5 big-iq_centralized_management 7.0.0
f5 big-ip_local_traffic_manager *
f5 big-ip_application_acceleration_manager *
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_edge_gateway *
f5 big-iq_centralized_management 5.4.0
f5 iworkflow 2.3.0
f5 big-ip_access_policy_manager *
f5 big-ip_analytics *
lodash lodash *
f5 big-ip_advanced_firewall_manager *
oracle banking_extensibility_workbench 14.4.0
f5 big-ip_domain_name_system *
redhat virtualization_manager 4.3
f5 big-ip_policy_enforcement_manager *
f5 big-iq_centralized_management *
f5 big-ip_link_controller *
f5 big-ip_global_traffic_manager *
oracle banking_extensibility_workbench 14.3.0
CVE-2020-28500 MEDIUM

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
report@snyk.io 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_credit_facilities_process_management 14.5.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle banking_credit_facilities_process_management 14.2.0
oracle communications_session_border_controller 8.4
oracle primavera_gateway *
oracle health_sciences_data_management_workbench 3.0.0.0
oracle banking_trade_finance_process_management 14.3.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_supply_chain_finance 14.3.0
oracle primavera_unifier 19.12
oracle communications_design_studio 7.4.2
oracle primavera_unifier *
oracle communications_cloud_native_core_policy 1.11.0
oracle primavera_unifier 18.8
oracle enterprise_communications_broker 3.2.0
siemens sinec_ins *
oracle banking_supply_chain_finance 14.5.0
oracle banking_trade_finance_process_management 14.2.0
oracle banking_extensibility_workbench 14.2.0
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_credit_facilities_process_management 14.3.0
oracle primavera_unifier 20.12
lodash lodash *
oracle banking_trade_finance_process_management 14.5.0
oracle health_sciences_data_management_workbench 2.5.2.1
oracle communications_services_gatekeeper 7.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle banking_corporate_lending_process_management 14.5.0
oracle banking_extensibility_workbench 14.5.0
oracle banking_supply_chain_finance 14.2.0
siemens sinec_ins 1.0
oracle communications_session_border_controller 9.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_extensibility_workbench 14.3.0
oracle enterprise_communications_broker 3.3.0
oracle banking_corporate_lending_process_management 14.3.0
CVE-2020-8203 MEDIUM

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-1321,

Products Affected

Vendor Product Version
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.2.0
oracle communications_session_border_controller 8.4
oracle communications_session_border_controller cz8.4
oracle primavera_gateway *
oracle banking_liquidity_management 14.3.0
oracle banking_trade_finance_process_management 14.3.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_supply_chain_finance 14.3.0
oracle banking_virtual_account_management 14.2.0
oracle banking_virtual_account_management 14.3.0
oracle banking_liquidity_management 14.5.0
oracle communications_cloud_native_core_policy 1.11.0
oracle enterprise_communications_broker 3.2.0
oracle communications_session_router cz8.4
oracle banking_supply_chain_finance 14.5.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle banking_trade_finance_process_management 14.2.0
oracle banking_extensibility_workbench 14.2.0
oracle banking_virtual_account_management 14.5.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_credit_facilities_process_management 14.3.0
lodash lodash *
oracle banking_trade_finance_process_management 14.5.0
oracle banking_corporate_lending_process_management 14.5.0
oracle banking_extensibility_workbench 14.5.0
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.2.0
oracle communications_subscriber-aware_load_balancer cz8.3
oracle communications_session_border_controller 9.0
oracle enterprise_communications_broker pcz3.3
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_subscriber-aware_load_balancer cz8.4
oracle banking_extensibility_workbench 14.3.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle enterprise_communications_broker 3.3.0
oracle banking_corporate_lending_process_management 14.3.0
oracle banking_liquidity_management 14.2.0
CVE-2021-23337 MEDIUM

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
report@snyk.io 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
oracle communications_design_studio 7.4.2.0.0
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_credit_facilities_process_management 14.5.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle banking_credit_facilities_process_management 14.2.0
oracle communications_session_border_controller 8.4
netapp active_iq_unified_manager -
oracle primavera_gateway *
oracle health_sciences_data_management_workbench 3.0.0.0
oracle banking_trade_finance_process_management 14.3.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_supply_chain_finance 14.3.0
oracle primavera_unifier 19.12
oracle communications_cloud_native_core_binding_support_function 1.9.0
oracle primavera_unifier *
oracle communications_cloud_native_core_policy 1.11.0
oracle primavera_unifier 18.8
oracle enterprise_communications_broker 3.2.0
siemens sinec_ins *
oracle banking_supply_chain_finance 14.5.0
oracle banking_trade_finance_process_management 14.2.0
oracle banking_extensibility_workbench 14.2.0
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp cloud_manager -
oracle banking_credit_facilities_process_management 14.3.0
oracle primavera_unifier 20.12
lodash lodash *
oracle banking_trade_finance_process_management 14.5.0
oracle health_sciences_data_management_workbench 2.5.2.1
oracle communications_services_gatekeeper 7.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle banking_corporate_lending_process_management 14.5.0
oracle banking_extensibility_workbench 14.5.0
oracle banking_supply_chain_finance 14.2.0
siemens sinec_ins 1.0
oracle communications_session_border_controller 9.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_extensibility_workbench 14.3.0
netapp system_manager 9.0
oracle enterprise_communications_broker 3.3.0
oracle banking_corporate_lending_process_management 14.3.0
CVE-2025-13465

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Products Affected

Vendor Product Version
lodash lodash *