Critical security alert: lodash.merge

Question

Critical security alert: lodash.merge

drewwmercer opened this issue 5 years ago · comments

Dependabot cannot update to the required version

lodash.merge vulnerability found in package-lock.json on Jul 10
Remediation: Upgrade lodash.merge to version 4.6.2 or later.

For example:

"dependencies": {
  "lodash.merge": ">=4.6.2"
}

or…

"devDependencies": {
  "lodash.merge": ">=4.6.2"
}

Details: CVE-2019-10744
critical severity
Vulnerable versions: < 4.6.2
Patched version: 4.6.2

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Drew W Mercer · Answer 1 · Tue Oct 01 2019 23:03:11 GMT+0800 (China Standard Time)

@achakavarti can you check this out?

Drew W Mercer · Answer 2 · Tue Oct 01 2019 23:05:03 GMT+0800 (China Standard Time)

Latest version is 4.6.2