.avif)
View all vulnerabilities
CVE-2018-16487
Prototype Pollution in lodash
Description
Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.11 or later.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgradingVulnerability Details
Score
Score Vector
Affected Versions
lodash < 4.17.11; lodash-rails < 4.17.11
Severity
Ecosystem
JavaScript
Publish Date
February 7, 2019
Modified Date
August 12, 2025