After jQuery JavaScript library, Prototype Pollution flaw impacts all versions of Lodash library

• The vulnerability impacts all versions of Lodash, including the latest 4.7.11 version.
• The Lodash library is used by more than 4 million projects on GitHub alone.

Lodash, a popular npm library, is affected by a high severity security flaw called Prototype Pollution. The Lodash library is used by more than 4 million projects on GitHub alone.

What’s the matter?

Liran Tal, a developer advocate at open-source security platform Snyk, has recently published a proof-of-concept on how the high-severity flaw affects Lodash library. The vulnerability, tracked as CVE-2019-10744, could be exploited by hackers to compromise the security of affected services using the library.

The vulnerability impacts all versions of Lodash, including the latest 4.7.11 version.

The news comes just after three months since the discovery of the prototype pollution vulnerability in the popular jQuery JavaScript frontend library.

What is the vulnerability?

Prototype Pollution is a security flaw that enables attackers to modify a web application’s JavaScript object prototype. This can cause the application to crash or change its behavior if it does not receive the expected values.

Due to the diffusion of JavaScript, the exploitation of Prototype Pollution flaw could have severe consequences on web applications.

How can the flaw be abused in Lodash?

Tal found that the ‘defaultsDeep’ function implemented in the Lodash library could be manipulated to add or modify properties of ‘Object.prototype’ using a ‘constructor’ payload. This could force the web application to crash.

Is there any workaround?

According to Tal, the issue can be addressed by not polluting the global object based on a key that is set to ‘constructor’ payload.