GHSA-5947-m4fg-xhqg

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Prototype Pollution in lodash.mergewith

Versions of lodash.mergewith before 4.6.1 are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

Ссылки

https://www.npmjs.com/advisories/1069

Пакеты

Наименование

lodash.mergewith

npm

Затронутые версииВерсия исправления

< 4.6.1

4.6.1

Дефекты

CWE-1321

Дефекты

CWE-1321