CVE-2019-10744
Prototype Pollution vulnerability in lodash
What is CVE-2019-10744 About?
This vulnerability affects `lodash` versions before 4.17.12 and is a Prototype Pollution flaw, allowing malicious users to modify the `Object` prototype. Such modification can lead to denial-of-service, remote code execution, or other unintended behaviors across the application. Exploitation is relatively straightforward for an attacker who can control input to the `defaultsDeep` function.
Affected Software
- lodash
- <4.17.12
- lodash-es
- <4.17.14
- lodash-amd
- <4.17.13
- lodash.defaultsdeep
- <4.6.1
- lodash-rails
- <4.17.12
Technical Details
Versions of `lodash` prior to 4.17.12 are susceptible to a Prototype Pollution vulnerability specifically within the `defaultsDeep` function. An attacker can exploit this by providing a crafted input object containing a `constructor` property with a nested `prototype` property (e.g., `{constructor: {prototype: {...}}}`). When `defaultsDeep` attempts to merge this input, it recursively traverses and assigns properties, leading to the modification of the global `Object.prototype`. This means that any property added or modified in the `prototype` nested within the malicious input will subsequently exist on all JavaScript objects, potentially altering application logic, causing crashes, or enabling further attacks like remote code execution if the added properties are later invoked in a harmful context.
What is the Impact of CVE-2019-10744?
Successful exploitation may allow attackers to inject arbitrary properties into runtime objects, leading to denial of service, data tampering, or, in some contexts, remote code execution.
What is the Exploitability of CVE-2019-10744?
Exploitation requires the attacker to control input passed to the `defaultsDeep` function in the `lodash` library. The complexity is low, primarily involving crafting a specific JSON or object structure. No authentication or specific privileges are required beyond the ability to submit data that eventually gets processed by the vulnerable function. This can be a remote attack if user input from web requests, APIs, or files is deserialized and passed to `defaultsDeep` without proper sanitization. The likelihood of exploitation increases in applications that extensively use `lodash` for object merging with untrusted or partially controlled data sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10744?
Available Upgrade Options
- lodash-rails
- <4.17.12 → Upgrade to 4.17.12
- lodash.defaultsdeep
- <4.6.1 → Upgrade to 4.6.1
- lodash-amd
- <4.17.13 → Upgrade to 4.17.13
- lodash
- <4.17.12 → Upgrade to 4.17.12
- lodash-es
- <4.17.14 → Upgrade to 4.17.14
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2019:3024
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://osv.dev/vulnerability/GHSA-jf85-cpcp-j695
- https://access.redhat.com/errata/RHSA-2019:3024
What are Similar Vulnerabilities to CVE-2019-10744?
Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-28283 , CVE-2020-28284 , CVE-2020-8203 , CVE-2021-23337
