Liran Tal, a developer advocate at Snyk, discovered a high-severity prototype pollution vulnerability, tracked as CVE-2019-10744, that affects all versions of
The flaw could be exploited by hackers to compromise the security of affected services using the library.
The popular library is currently used in more than 4 million projects on GitHub.
Liran Tal also developed a proof-of-concept exploit for the flaw.
“The popular npm library is used by 4.35 million projects on GitHub alone. Just shy of 40k GitHub project stars, the library is downloaded over 80 million times each month. Needless to say, a high severity vulnerability in a library as popular as lodash affects a large proportion of npm users.” reads a blog post published by the company.
Tal discovered that the “defaultsDeep” function implemented in the Lodash library could be tricked into adding or modifying properties of Object.prototype using a constructor payload. In this way it is possible to force crashing the web application or altering its behavior.
Tal shared his findings with John Dalton, maintainer of lodash.
“The process included a collaboration with John in a private repository to confirm our findings and Snyk’s proposed fixes to remediate the vulnerabilities. Involved in this process was Kirill, one of Snyk’s software engineers, who raised pull requests (, ) with the fixes to lodash, both of which were merged on June 24th.” wrote the expert.