CVE-2019-10744
Prototype Pollution vulnerability in lodash (npm)

Prototype Pollution No known exploit Fixable By Resolved Security

What is CVE-2019-10744 About?

This vulnerability affects `lodash` versions before 4.17.12 and is a Prototype Pollution flaw, allowing malicious users to modify the `Object` prototype. Such modification can lead to denial-of-service, remote code execution, or other unintended behaviors across the application. Exploitation is relatively straightforward for an attacker who can control input to the `defaultsDeep` function.

Affected Software

  • lodash
    • <4.17.12
  • lodash-es
    • <4.17.14
  • lodash-amd
    • <4.17.13
  • lodash.defaultsdeep
    • <4.6.1
  • lodash-rails
    • <4.17.12

Technical Details

Versions of lodash prior to 4.17.12 are susceptible to a Prototype Pollution vulnerability specifically within the defaultsDeep function. An attacker can exploit this by providing a crafted input object containing a constructor property with a nested prototype property (e.g., {constructor: {prototype: {...}}}). When defaultsDeep attempts to merge this input, it recursively traverses and assigns properties, leading to the modification of the global Object.prototype. This means that any property added or modified in the prototype nested within the malicious input will subsequently exist on all JavaScript objects, potentially altering application logic, causing crashes, or enabling further attacks like remote code execution if the added properties are later invoked in a harmful context.

What is the Impact of CVE-2019-10744?

Successful exploitation may allow attackers to inject arbitrary properties into runtime objects, leading to denial of service, data tampering, or, in some contexts, remote code execution.

What is the Exploitability of CVE-2019-10744?

Exploitation requires the attacker to control input passed to the defaultsDeep function in the lodash library. The complexity is low, primarily involving crafting a specific JSON or object structure. No authentication or specific privileges are required beyond the ability to submit data that eventually gets processed by the vulnerable function. This can be a remote attack if user input from web requests, APIs, or files is deserialized and passed to defaultsDeep without proper sanitization. The likelihood of exploitation increases in applications that extensively use lodash for object merging with untrusted or partially controlled data sources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2019-10744?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch prevents prototype pollution in lodash by blocking access to the "constructor" property in the safeGet function, in addition to the already-blocked __proto__ property, and only using own properties instead of those from the prototype chain. This change fixes CVE-2019-10744 because attackers could previously exploit merging operations to inject properties like constructor into Object.prototype, leading to potentially severe security issues, including code execution or denial of service.

Available Upgrade Options

  • lodash-rails
    • <4.17.12 → Upgrade to 4.17.12
  • lodash.defaultsdeep
    • <4.6.1 → Upgrade to 4.6.1
  • lodash-amd
    • <4.17.13 → Upgrade to 4.17.13
  • lodash
    • <4.17.12 → Upgrade to 4.17.12
  • lodash-es
    • <4.17.14 → Upgrade to 4.17.14

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-10744?

Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-28283 , CVE-2020-28284 , CVE-2020-8203 , CVE-2021-23337

All Rights reserved 2025
Privacy Policy