CVE-2020-8203
Prototype Pollution vulnerability in lodash (npm)
What is CVE-2020-8203 About?
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution via exploitable functions like `pick`, `set`, and `update`. An attacker can manipulate `Object.prototype` if user-supplied property identifiers are used. This vulnerability can be exploited under specific circumstances by feeding specially crafted input.
Affected Software
- lodash
- >3.7.0, <4.17.19
- lodash-es
- >3.7.0, <4.17.20
- lodash.pick
- >4.0.0, <=4.4.0
- lodash.set
- >3.7.0, <=4.3.2
- lodash.setwith
- <=4.3.2
- lodash.update
- <=4.10.2
- lodash.updatewith
- <=4.10.2
- lodash-rails
- >3.7.0, <4.17.19
Technical Details
The vulnerability in lodash (versions prior to 4.17.19) is a Prototype Pollution flaw impacting functions such as pick, set, setWith, update, updateWith, and zipObjectDeep. These functions, when processing user-supplied property names or paths, do not adequately sanitize or validate input. This allows an attacker to inject and modify properties of the Object.prototype, which then affects all objects in the JavaScript runtime. By injecting properties like __proto__ or constructor.prototype, an attacker can add or modify existing properties on Object.prototype, potentially leading to unexpected behavior, Denial of Service, or even Remote Code Execution if chained with other vulnerabilities in the application logic.
What is the Impact of CVE-2020-8203?
Successful exploitation may allow attackers to cause Denial of Service, arbitrary code execution, or unintended modification of object properties across the application.
What is the Exploitability of CVE-2020-8203?
Exploitation requires an attacker to provide specially crafted input that contains malicious property identifiers (__proto__). It is of moderate complexity, as specific circumstances involving object manipulation based on user input are necessary. No authentication or elevated privileges are required. Depending on the application's architecture, this can be a remote or local vulnerability. The primary prerequisite is that the application uses an affected lodash function to process user-controlled property values. The likelihood of exploitation increases if the application dynamically creates or modifies objects based on unsanitized user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8203?
About the Fix from Resolved Security
The patch prevents assignments to the __proto__, constructor, and prototype properties by returning early if these keys are encountered, thus avoiding modification of an object's prototype chain or constructor. This directly fixes CVE-2020-8203, which stems from prototype pollution in lodash's zipObjectDeep (and similar) functions; by blocking these dangerous keys, the vulnerability is mitigated and arbitrary code execution or global object tampering is prevented.
Available Upgrade Options
- lodash-es
- >3.7.0, <4.17.20 → Upgrade to 4.17.20
- lodash-rails
- >3.7.0, <4.17.19 → Upgrade to 4.17.19
- lodash
- >3.7.0, <4.17.19 → Upgrade to 4.17.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://hackerone.com/reports/864701
- https://hackerone.com/reports/712065
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/lodash/lodash/issues/4874
- https://osv.dev/vulnerability/GHSA-p6mc-m468-83gw
What are Similar Vulnerabilities to CVE-2020-8203?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-28500 , CVE-2020-7712 , CVE-2020-7760 , CVE-2021-23337
