CVE-2018-16487
Prototype Pollution vulnerability in lodash (npm)

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2018-16487 About?

This vulnerability affecting `lodash` versions before 4.17.11 is a Prototype Pollution flaw. It allows attackers to modify JavaScript object prototypes via functions like `defaultsDeep`, `merge`, and `mergeWith`. This manipulation can lead to arbitrary property injection, data tampering, or potentially code execution across all objects in an application. Exploitation requires the attacker to control input passed to these specific `lodash` functions.

Affected Software

  • lodash
    • <4.17.11
  • lodash-rails
    • <4.17.11

Technical Details

The lodash package, in versions prior to 4.17.11, is vulnerable to Prototype Pollution. This vulnerability manifests in functions such as defaultsDeep, merge, and mergeWith. These functions are designed to recursively extend or merge objects. Attackers can exploit this by crafting input that contains properties like {constructor: {prototype: {злонамеренноеСвойство: 'злонамеренноеЗначение'}}}. When these functions process such input, they incorrectly interpret the constructor.prototype path and modify the Object.prototype itself. This action injects or alters properties that are then inherited by all JavaScript objects, allowing an attacker to inject arbitrary properties, manipulate existing object behavior, or, in some contexts, achieve remote code execution.

What is the Impact of CVE-2018-16487?

Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, bypass security checks, modify application behavior, or potentially achieve remote code execution.

What is the Exploitability of CVE-2018-16487?

Exploitation of this Prototype Pollution vulnerability involves providing specially crafted input (e.g., JSON) to an application that utilizes lodash functions defaultsDeep, merge, or mergeWith on untrusted data. The complexity is moderate, requiring knowledge of the specific lodash function's behavior and how to construct the payload for prototype modification. No authentication is inherently required if these functions process unauthenticated user input. Privilege requirements are low, as any user whose input is processed by these functions can potentially trigger it. This can be a remote or local attack. The primary special condition is the use of the mentioned lodash functions on attacker-controlled input without robust sanitation. The likelihood of exploitation increases in applications that widely use these lodash functions for processing and merging complex data structures derived from user input.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2018-16487?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch updates the safeGet function to block access to both the __proto__ and prototype properties, preventing assignment or modification of Object.prototype via crafted objects (prototype pollution). This fix mitigates the root cause of CVE-2018-16487, where attackers could inject properties into Object.prototype through merge operations, compromising application security.

Available Upgrade Options

  • lodash
    • <4.17.11 → Upgrade to 4.17.11
  • lodash-rails
    • <4.17.11 → Upgrade to 4.17.11

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-16487?

Similar Vulnerabilities: CVE-2018-3750 , CVE-2019-10744 , CVE-2020-28286 , CVE-2020-7712 , CVE-2021-23351

All Rights reserved 2025
Privacy Policy