Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Remediation
Upgrade lodash to version 4.17.13 or later. For example:
"dependencies": {
"lodash": ">=4.17.13"
}
or…
"devDependencies": {
"lodash": ">=4.17.13"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2019-10744
Vulnerable versions: < 4.17.13 Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Remediation
Upgrade lodash to version 4.17.13 or later. For example:
or…
Always verify the validity and compatibility of suggestions with your codebase.