Outdated JavaScript Utility Library Allows Application Disruption (CVE-2018-16487)
Your application is using a very old version of lodash (3.10.1), a popular JavaScript helper library, that contains a known security flaw. An attacker who can send crafted data to your application could use this flaw to disrupt your service or, in some cases, interfere with how your application behaves. The fix is a straightforward library upgrade.
Business Impact And Actions
high urgencyBusiness Impact
The most realistic outcome of exploitation is your application becoming unresponsive — meaning customers can't use your service until it's restarted. In more complex scenarios, the flaw could be used to alter application logic in unexpected ways. If your application handles sensitive customer data, this could also be a flag in a compliance or security audit, as using libraries with known public vulnerabilities is a common audit finding.
What To Do
- Ask your developer to upgrade the lodash library to version 4.17.21 or later — this is typically a 30-minute task for a straightforward project.
- Ask your developer to check whether lodash is also pulled in indirectly by other libraries (running 'npm audit' will surface these), and update those too.
- After the upgrade, ask your developer to confirm the application still works correctly with a quick smoke test.
- Consider scheduling a regular dependency review (e.g., quarterly) so outdated libraries like this are caught earlier.
Lodash 3.10.1 — Prototype Pollution via merge/mergeWith/defaultsDeep (CVE-2018-16487)
high severity CVSS 5.6–8.1Vulnerability Explanation
The functions `merge`, `mergeWith`, and `defaultsDeep` in lodash versions prior to 4.17.11 perform unsafe recursive merges without adequately restricting access to special JavaScript properties such as `__proto__` and `constructor.prototype`. When user-supplied JSON is passed to these functions, an attacker can craft a payload like `{"__proto__": {"isAdmin": true}}` or `{"constructor": {"prototype": {"isAdmin": true}}}` to inject properties onto `Object.prototype`. Because all JavaScript objects inherit from `Object.prototype`, the injected properties then appear on every object in the application's runtime, potentially altering control flow, bypassing authorization checks, or crashing the process.
Root Cause
The `safeGet()` function in lodash failed to block traversal of inherited prototype properties during recursive merge operations. This was an incomplete fix of the earlier CVE-2018-3721 — the `__proto__` key was blocked but the equivalent `constructor.prototype` path was not, leaving the pollution vector open.
Technical Impact
An unauthenticated remote attacker who can send JSON to any endpoint that passes user input into lodash's `merge`, `mergeWith`, or `defaultsDeep` functions can: (1) cause a Denial of Service by corrupting the object prototype and triggering unhandled exceptions, (2) potentially bypass authorization logic if application code relies on prototype-inherited property checks, or (3) in complex application-specific scenarios, escalate to Remote Code Execution.
Severity Justification
The vulnerability is remotely exploitable with no authentication required and no user interaction needed. The installed version (3.10.1) is extremely outdated — more than 7 major patch versions behind the fix. CVSS scores across authoritative sources range from 5.6 to 8.1 depending on application context; the scanner's 'high' rating is appropriate given the age of the version and realistic DoS exploitability. The high-complexity RCE path is application-dependent, but DoS is straightforwardly achievable.
Affected Components
lodash < 4.17.11lodash.merge < 4.6.2
Remediation Steps
- Upgrade lodash to version 4.17.21 (the current stable release, which also patches all subsequent lodash CVEs): `npm install lodash@4.17.21` or `yarn add lodash@4.17.21`.
- Update your `package.json` to pin to a safe minimum: `"lodash": ">=4.17.21"`. Avoid using `^3.x.x` or `~3.x.x` ranges that lock you to the vulnerable major version.
- Check for transitive (indirect) dependencies that bundle their own lodash copy: run `npm ls lodash` to list all installed versions. For nested vulnerable copies, update the parent package or use `npm dedupe` / an `overrides` entry in `package.json`.
- If you use the standalone `lodash.merge` package, upgrade it separately: `npm install lodash.merge@4.6.2`.
- Run `npm audit` after upgrading to confirm no remaining lodash advisories are reported.
Verification Steps
- Run `npm ls lodash` and confirm all listed versions are 4.17.21 (or later). No 3.x or 4.x < 4.17.11 entries should appear.
- Run `npm audit` and verify no CVE-2018-16487 findings are reported.
- Manually test the prototype pollution fix: in a Node.js REPL with the updated lodash, run `const _ = require('lodash'); _.merge({}, JSON.parse('{"__proto__":{"polluted":true}}')); console.log({}.polluted);` — the output should be `undefined`, not `true`.
Code Examples (json)
// package.json — pinned to vulnerable major version
{
"dependencies": {
"lodash": "^3.10.1"
}
}// package.json — upgraded to safe version
{
"dependencies": {
"lodash": ">=4.17.21"
}
}
// If transitive copies exist, use overrides (npm 8.3+) to force the safe version:
{
"overrides": {
"lodash": ">=4.17.21"
}
}Best Practices
- Run `npm audit` as part of your CI/CD pipeline so vulnerable dependencies are caught before they reach production.
- Never pass raw, unsanitized user input directly into lodash merge functions — validate and schema-check JSON payloads at the API boundary first.
- Use `Object.freeze(Object.prototype)` in test environments to surface prototype pollution bugs early during development.
- Prefer `Object.assign()` or the spread operator (`{...a, ...b}`) for shallow merges where deep merging is not required, as these are not susceptible to prototype pollution.
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free