CVE-2018-3721
Prototype Pollution vulnerability in lodash (npm)
What is CVE-2018-3721 About?
`lodash` versions before 4.17.5 are vulnerable to prototype pollution through functions like `defaultsDeep`, `merge`, and `mergeWith`. This allows a malicious user to add or modify properties on the `Object` prototype, impacting all objects. Exploitation occurs when these vulnerable functions process attacker-controlled input.
Affected Software
- lodash
- <4.17.5
- lodash-rails
- <4.17.5
Technical Details
The lodash library's defaultsDeep, merge, and mergeWith functions, in versions prior to 4.17.5, are susceptible to prototype pollution. This happens because these functions do not correctly sanitize or restrict object property names during recursive merging operations. An attacker can craft input objects containing properties like __proto__ or constructor.prototype. When these specially named properties are passed to the vulnerable lodash functions, the library inadvertently traverses up the prototype chain and modifies the global Object.prototype, injecting or overwriting properties that will then be inherited by all other objects in the application. This can lead to unexpected behavior, denial of service, or even remote code execution depending on how the polluted properties are later used by the application.
What is the Impact of CVE-2018-3721?
Successful exploitation may allow attackers to pollute the global JavaScript `Object` prototype, potentially leading to denial of service, remote code execution, or unauthorized data manipulation across the application.
What is the Exploitability of CVE-2018-3721?
Exploitation of this prototype pollution vulnerability requires moderate complexity. An attacker must be able to input data that is ultimately processed by lodash's defaultsDeep, merge, or mergeWith functions. There are no inherent authentication or privilege requirements; instead, the attack vector depends on whether an application exposes a way for untrusted input to reach these functions. This is a remote vulnerability if applications parse external input (e.g., JSON from API requests, query parameters) with the vulnerable functions. The risk is elevated when lodash is used to combine or extend objects where some parts of the input are user-controlled and not adequately validated or sanitized.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3721?
About the Fix from Resolved Security
The patch prevents properties named "proto" from being merged into target objects by adding a safe accessor (safeGet) and an explicit check to avoid assigning values to the "proto" key during object merging. This mitigates prototype pollution, thereby fixing vulnerability CVE-2018-3721, which allowed attackers to manipulate an object's prototype chain by injecting "proto" properties through _.merge.
Available Upgrade Options
- lodash
- <4.17.5 → Upgrade to 4.17.5
- lodash-rails
- <4.17.5 → Upgrade to 4.17.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/577
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://osv.dev/vulnerability/GHSA-fvqr-27wr-82fm
- https://hackerone.com/reports/310443
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://nvd.nist.gov/vuln/detail/CVE-2018-3721
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://github.com/advisories/GHSA-fvqr-27wr-82fm
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
What are Similar Vulnerabilities to CVE-2018-3721?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-7712 , CVE-2021-42790 , CVE-2022-2170 , CVE-2023-2253
