Prototype Pollution in lodash.mergewith

Published: Sep 3, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-5947-m4fg-xhqg" target="_blank" rel="noopener"> GHSA-5947-m4fg-xhqg
Severity: High
Exploit:

Versions of lodash.mergewith before 4.6.1 are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.