CVE-2020-8203
Prototype Pollution vulnerability in lodash
What is CVE-2020-8203 About?
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution via exploitable functions like `pick`, `set`, and `update`. An attacker can manipulate `Object.prototype` if user-supplied property identifiers are used. This vulnerability can be exploited under specific circumstances by feeding specially crafted input.
Affected Software
- lodash
- >3.7.0, <4.17.19
- lodash-es
- >3.7.0, <4.17.20
- lodash.pick
- >4.0.0, <=4.4.0
- lodash.set
- >3.7.0, <=4.3.2
- lodash.setwith
- <=4.3.2
- lodash.update
- <=4.10.2
- lodash.updatewith
- <=4.10.2
- lodash-rails
- >3.7.0, <4.17.19
Technical Details
The vulnerability in lodash (versions prior to 4.17.19) is a Prototype Pollution flaw impacting functions such as `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep`. These functions, when processing user-supplied property names or paths, do not adequately sanitize or validate input. This allows an attacker to inject and modify properties of the `Object.prototype`, which then affects all objects in the JavaScript runtime. By injecting properties like `__proto__` or `constructor.prototype`, an attacker can add or modify existing properties on `Object.prototype`, potentially leading to unexpected behavior, Denial of Service, or even Remote Code Execution if chained with other vulnerabilities in the application logic.
What is the Impact of CVE-2020-8203?
Successful exploitation may allow attackers to cause Denial of Service, arbitrary code execution, or unintended modification of object properties across the application.
What is the Exploitability of CVE-2020-8203?
Exploitation requires an attacker to provide specially crafted input that contains malicious property identifiers (`__proto__`). It is of moderate complexity, as specific circumstances involving object manipulation based on user input are necessary. No authentication or elevated privileges are required. Depending on the application's architecture, this can be a remote or local vulnerability. The primary prerequisite is that the application uses an affected `lodash` function to process user-controlled property values. The likelihood of exploitation increases if the application dynamically creates or modifies objects based on unsanitized user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8203?
About the Fix from Resolved Security
The patch prevents the zipObjectDeep function from creating or modifying properties named __proto__, constructor, or prototype, which are commonly exploited for prototype pollution attacks. By blocking these keys, it fixes CVE-2020-8203 by ensuring that attackers cannot inject properties into object prototypes or constructors, thus protecting against arbitrary code execution and data tampering vulnerabilities.
Available Upgrade Options
- lodash-es
- >3.7.0, <4.17.20 → Upgrade to 4.17.20
- lodash-rails
- >3.7.0, <4.17.19 → Upgrade to 4.17.19
- lodash
- >3.7.0, <4.17.19 → Upgrade to 4.17.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://hackerone.com/reports/864701
- https://hackerone.com/reports/712065
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/lodash/lodash/issues/4874
- https://osv.dev/vulnerability/GHSA-p6mc-m468-83gw
What are Similar Vulnerabilities to CVE-2020-8203?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-28500 , CVE-2020-7712 , CVE-2020-7760 , CVE-2021-23337
