Prototype Pollution in lodash.merge

Published: Sep 3, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-h726-x36v-rx45" target="_blank" rel="noopener"> GHSA-h726-x36v-rx45
Severity: High
Exploit:

Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.