Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11.
The vulnerability, assigned as CVE-2019-10744, potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month.
According to Tal, the function "defaultsDeep" in the Lodash library could be tricked into adding or modifying properties of Object.prototype using a constructor payload, which could result in crashing the web application or altering its behavior, depending upon the affected use-case.
It should be noted that exploiting prototype pollution flaws is not easy and require in-depth knowledge on how each targeted web application works.
The researcher responsible reported this vulnerability to John Dalton, maintainer of Lodash, and proposed fixes (pull requests 1 and 2) that will be included in the next version of the library, expected to be released very soon.
If your project also uses on lodash, you are recommended to immediately update your library as soon as the official patch releases or manually apply the fixes.