Lodash, a popular npm library, is affected by a high severity security flaw called Prototype Pollution. The Lodash library is used by more than 4 million projects on GitHub alone.
What’s the matter?
Liran Tal, a developer advocate at open-source security platform Snyk, has recently published a proof-of-concept on how the high-severity flaw affects Lodash library. The vulnerability, tracked as CVE-2019-10744, could be exploited by hackers to compromise the security of affected services using the library.
The vulnerability impacts all versions of Lodash, including the latest 4.7.11 version.
What is the vulnerability?
How can the flaw be abused in Lodash?
Tal found that the ‘defaultsDeep’ function implemented in the Lodash library could be manipulated to add or modify properties of ‘Object.prototype’ using a ‘constructor’ payload. This could force the web application to crash.
Is there any workaround?
According to Tal, the issue can be addressed by not polluting the global object based on a key that is set to ‘constructor’ payload.