GHSA-779f-wgxg-qr8f

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Prototype Pollution in lodash.mergewith

Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.2 or later.

Ссылки

https://www.npmjs.com/advisories/1071

Пакеты

Наименование

lodash.mergewith

npm

Затронутые версииВерсия исправления

< 4.6.2

4.6.2

Дефекты

CWE-1321

Дефекты

CWE-1321