CVE-2018-16487 in lodash
Summary
by MITRE
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2020
This vulnerability represents a critical prototype pollution flaw in the widely-used lodash library that affects versions prior to 4.17.11. The issue stems from the improper handling of user-supplied input within the merge, mergeWith, and defaultsDeep functions, which are commonly employed for deep object merging operations. When these functions process objects containing specially crafted keys that target prototype properties, they inadvertently modify the Object.prototype directly rather than the intended target object. This behavior creates a fundamental security risk that can be exploited across multiple attack vectors.
The technical implementation of this vulnerability leverages the fact that JavaScript objects inherit properties from their prototype chain, and when these functions fail to properly sanitize input keys, they can inject malicious properties into the prototype itself. Attackers can craft input data containing keys like "_proto_" or "constructor" that, when processed by the vulnerable merge functions, result in prototype pollution. This occurs because the functions do not validate or filter keys that could alter prototype properties, allowing attackers to manipulate the behavior of all objects that inherit from Object.prototype.
The operational impact of this vulnerability extends far beyond simple data corruption, as it can enable a wide range of downstream attacks including remote code execution, denial of service, and privilege escalation. When prototype pollution occurs, it affects all objects in the JavaScript environment that inherit from the polluted prototype, potentially allowing attackers to modify core object behaviors or inject malicious code that executes in the context of the vulnerable application. This vulnerability particularly affects Node.js applications and web applications that use lodash for object manipulation, making it a significant concern for organizations relying on these libraries for data processing and configuration management.
Organizations should immediately update their lodash dependencies to version 4.17.11 or later, which includes patches that prevent prototype pollution by implementing proper input validation and sanitization. Security teams should conduct comprehensive vulnerability assessments to identify applications using affected versions and implement runtime protections such as prototype pollution detection mechanisms. The vulnerability aligns with CWE-471, which describes the weakness of "Modification of Externally-Controlled Parameters," and maps to ATT&CK technique T1059.007 for JavaScript-based execution. Additionally, organizations should consider implementing input validation at multiple layers including API boundaries, application logic, and runtime monitoring to prevent exploitation of similar prototype pollution vulnerabilities across their infrastructure.