CVE-2018-3721
Prototype Pollution vulnerability in lodash
What is CVE-2018-3721 About?
`lodash` versions before 4.17.5 are vulnerable to prototype pollution through functions like `defaultsDeep`, `merge`, and `mergeWith`. This allows a malicious user to add or modify properties on the `Object` prototype, impacting all objects. Exploitation occurs when these vulnerable functions process attacker-controlled input.
Affected Software
- lodash
- <4.17.5
- lodash-rails
- <4.17.5
Technical Details
The `lodash` library's `defaultsDeep`, `merge`, and `mergeWith` functions, in versions prior to 4.17.5, are susceptible to prototype pollution. This happens because these functions do not correctly sanitize or restrict object property names during recursive merging operations. An attacker can craft input objects containing properties like `__proto__` or `constructor.prototype`. When these specially named properties are passed to the vulnerable `lodash` functions, the library inadvertently traverses up the prototype chain and modifies the global `Object.prototype`, injecting or overwriting properties that will then be inherited by all other objects in the application. This can lead to unexpected behavior, denial of service, or even remote code execution depending on how the polluted properties are later used by the application.
What is the Impact of CVE-2018-3721?
Successful exploitation may allow attackers to pollute the global JavaScript `Object` prototype, potentially leading to denial of service, remote code execution, or unauthorized data manipulation across the application.
What is the Exploitability of CVE-2018-3721?
Exploitation of this prototype pollution vulnerability requires moderate complexity. An attacker must be able to input data that is ultimately processed by `lodash`'s `defaultsDeep`, `merge`, or `mergeWith` functions. There are no inherent authentication or privilege requirements; instead, the attack vector depends on whether an application exposes a way for untrusted input to reach these functions. This is a remote vulnerability if applications parse external input (e.g., JSON from API requests, query parameters) with the vulnerable functions. The risk is elevated when `lodash` is used to combine or extend objects where some parts of the input are user-controlled and not adequately validated or sanitized.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3721?
Available Upgrade Options
- lodash
- <4.17.5 → Upgrade to 4.17.5
- lodash-rails
- <4.17.5 → Upgrade to 4.17.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/577
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://osv.dev/vulnerability/GHSA-fvqr-27wr-82fm
- https://hackerone.com/reports/310443
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://nvd.nist.gov/vuln/detail/CVE-2018-3721
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://github.com/advisories/GHSA-fvqr-27wr-82fm
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
What are Similar Vulnerabilities to CVE-2018-3721?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-7712 , CVE-2021-42790 , CVE-2022-2170 , CVE-2023-2253
