Versions of lodash
before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep
allows a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
{ "nvd_published_at": "2019-07-26T00:15:00Z", "cwe_ids": [ "CWE-1321", "CWE-20" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2019-07-10T19:41:11Z" }