View all vulnerabilities

CVE-2018-16487

Prototype Pollution in lodash

Description

Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.




Recommendation

Update to version 4.17.11 or later.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
Score Vector
Affected Versions
lodash < 4.17.11; lodash-rails < 4.17.11
Severity
Ecosystem
RubyGems
Publish Date
February 7, 2019
Modified Date
August 12, 2025