Lodash, a popular npm library used by more than 4 million projects on GitHub alone, is affected by a high severity security vulnerability that could allow attackers to compromise the security of affected services using the library and their respective user base.
Lodash is a JavaScript library that contains tools to simplify programming with strings, numbers, arrays, functions, and objects, helping programmers write and maintain their JavaScript code more efficiently.
Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11.
The vulnerability, assigned as CVE-2019-10744, potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month.
Prototype pollution is a vulnerability that enables attackers to modify a web application's JavaScript object prototype, which is like a variable that can be used to store multiple values based on a predefined structure.
These structures and default values are called prototypes that prevent an application from hashing when no values are set.
However, if an attacker manages to inject properties into existing JavaScript language construct prototypes and manipulate these attributes to overwrite or pollute, it could affect how the application processes JavaScript objects through the prototype chain, leading to a denial of service issue or a remote code execution vulnerability.
According to Tal, the function "defaultsDeep" in the Lodash library could be tricked into adding or modifying properties of Object.prototype using a constructor payload, which could result in crashing the web application or altering its behavior, depending upon the affected use-case.
It should be noted that exploiting prototype pollution flaws is not easy and require in-depth knowledge on how each targeted web application works.
The researcher responsible reported this vulnerability to John Dalton, maintainer of Lodash, and proposed fixes (pull requests 1 and 2) that will be included in the next version of the library, expected to be released very soon.
If your project also uses on lodash, you are recommended to immediately update your library as soon as the official patch releases or manually apply the fixes.
Lodash is a JavaScript library that contains tools to simplify programming with strings, numbers, arrays, functions, and objects, helping programmers write and maintain their JavaScript code more efficiently.
Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11.
The vulnerability, assigned as CVE-2019-10744, potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month.
Prototype pollution is a vulnerability that enables attackers to modify a web application's JavaScript object prototype, which is like a variable that can be used to store multiple values based on a predefined structure.
These structures and default values are called prototypes that prevent an application from hashing when no values are set.
However, if an attacker manages to inject properties into existing JavaScript language construct prototypes and manipulate these attributes to overwrite or pollute, it could affect how the application processes JavaScript objects through the prototype chain, leading to a denial of service issue or a remote code execution vulnerability.
According to Tal, the function "defaultsDeep" in the Lodash library could be tricked into adding or modifying properties of Object.prototype using a constructor payload, which could result in crashing the web application or altering its behavior, depending upon the affected use-case.
It should be noted that exploiting prototype pollution flaws is not easy and require in-depth knowledge on how each targeted web application works.
The researcher responsible reported this vulnerability to John Dalton, maintainer of Lodash, and proposed fixes (pull requests 1 and 2) that will be included in the next version of the library, expected to be released very soon.
If your project also uses on lodash, you are recommended to immediately update your library as soon as the official patch releases or manually apply the fixes.