View all vulnerabilities

CVE-2019-10744

Prototype Pollution in lodash

Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.## RecommendationUpdate to version 4.17.12 or later.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.1
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Versions
lodash < 4.17.12; lodash-es < 4.17.14; lodash-amd < 4.17.13; lodash.defaultsdeep < 4.6.1; lodash-rails < 4.17.12
Severity
Ecosystem
JavaScript
Publish Date
July 10, 2019
Modified Date
August 12, 2025