GHSA-p6mc-m468-83gw

Source

https://github.com/advisories/GHSA-p6mc-m468-83gw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-p6mc-m468-83gw

Aliases

CVE-2020-8203

Published

2020-07-15T19:15:48Z

Modified

2025-08-12T22:01:18.276147Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Prototype Pollution in lodash

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Database specific

{
    "cwe_ids": [
        "CWE-1321",
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-15T19:14:58Z",
    "nvd_published_at": "2020-07-15T17:15:00Z"
}

References

Affected packages

npm

lodash

Package

Name: lodash; View open source insights on deps.dev
Purl: pkg:npm/lodash

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

4.17.19

lodash-es

Package

Name: lodash-es; View open source insights on deps.dev
Purl: pkg:npm/lodash-es

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

4.17.20

lodash.pick

Package

Name: lodash.pick; View open source insights on deps.dev
Purl: pkg:npm/lodash.pick

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Last affected

4.4.0

lodash.set

Package

Name: lodash.set; View open source insights on deps.dev
Purl: pkg:npm/lodash.set

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Last affected

4.3.2

lodash.setwith

Package

Name: lodash.setwith; View open source insights on deps.dev
Purl: pkg:npm/lodash.setwith

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.3.2

lodash.update

Package

Name: lodash.update; View open source insights on deps.dev
Purl: pkg:npm/lodash.update

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.10.2

lodash.updatewith

Package

Name: lodash.updatewith; View open source insights on deps.dev
Purl: pkg:npm/lodash.updatewith

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.10.2

RubyGems

lodash-rails

Package

Name: lodash-rails
Purl: pkg:gem/lodash-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.7.0

Fixed

4.17.19

Affected versions

3.*

3.7.0

3.9.3

3.10.0

3.10.1

4.*

4.0.0

4.3.0

4.5.1

4.6.1

4.11.2

4.12.0

4.13.1

4.14.1

4.15.0

4.16.1

4.16.3

4.16.4

4.16.6

4.17.2

4.17.4

4.17.5

4.17.10

4.17.11

4.17.14

4.17.15