Outdated Lodash Library Allows Application Tampering or Crash
Your application uses an outdated version of Lodash, a very common JavaScript helper library. This version has a known flaw that could allow an attacker who can send crafted input to your app to corrupt how your application handles data internally — potentially causing it to crash or behave in unexpected ways. Exploiting this requires specific conditions, but the fix is a straightforward library update.
Business Impact And Actions
high urgencyBusiness Impact
If exploited, this flaw could cause your application to crash (taking it offline for your users) or allow an attacker to manipulate how your app processes data. For SaaS businesses, downtime directly affects revenue and customer trust. This type of vulnerability is also commonly flagged in security audits and compliance reviews (such as SOC 2 or ISO 27001), which could delay deals or partnerships.
What To Do
- Ask your developer to upgrade the Lodash library to version 4.17.20 or higher — this is the official fix and should take under an hour.
- Ask your developer to check if Lodash is also pulled in indirectly by other libraries (a 'transitive dependency'), and force those to use the patched version too.
- Once updated, ask your developer to confirm the new version is in place by running a dependency audit (e.g., `npm audit`) and sharing the results with you.
- Add automated dependency scanning to your development workflow so future vulnerable library versions are caught before they reach production.
Lodash < 4.17.20 — Prototype Pollution via zipObjectDeep and Related Functions (CVE-2020-8203)
high severity CVSS 7.4Vulnerability Explanation
CVE-2020-8203 is a prototype pollution vulnerability in Lodash affecting versions prior to 4.17.20. The functions `_.zipObjectDeep`, `_.set`, `_.setWith`, `_.update`, `_.updateWith`, and `_.pick` accept user-controlled property path strings. If an attacker can influence these path values, they can inject a path such as `__proto__.maliciousKey`, which causes the value to be written onto `Object.prototype` itself. Because all JavaScript objects inherit from `Object.prototype`, this injected property becomes visible on every object in the application, potentially overriding expected behaviour, bypassing logic checks, or crashing the process. A proof-of-concept is publicly available: `_.zipObjectDeep(['__proto__.z'], [123])` results in `z` being globally accessible as `123` on all objects.
Root Cause
Lodash's path-based setter functions did not sanitize or block reserved prototype keys (`__proto__`, `constructor`, `prototype`) before traversing and writing to nested object paths. This allowed user-supplied path strings to escape the intended target object and mutate the shared `Object.prototype`.
Technical Impact
An attacker who can control input to any of the affected Lodash functions can pollute `Object.prototype`, leading to: Denial of Service (application crash due to unexpected property values on all objects), logic bypass (e.g., injecting `isAdmin: true` onto the prototype to pass authorization checks), or in specific server-side contexts, potential remote code execution. The CVSS 3.1 base score is 7.4 (High), with network attack vector, high attack complexity, no privileges required, and no user interaction. Confidentiality impact is None; Integrity and Availability impacts are both High.
Severity Justification
CVSS 3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H). Network-reachable with no authentication required, but attack complexity is High — exploitation requires the attacker to control input to a specific Lodash function call. A public proof-of-concept exists, raising realistic exploitability.
Affected Components
lodash >= 3.7.0 < 4.17.20 (npm)
Remediation Steps
- Upgrade lodash to version 4.17.20 or later (4.17.21 is the current latest and also patches a separate ReDoS issue): `npm install lodash@^4.17.21` or `yarn add lodash@^4.17.21`.
- Update your `package.json` to pin the minimum version: `"lodash": "^4.17.21"`.
- Check for transitive dependencies pulling in an older lodash. Run `npm ls lodash` (or `yarn why lodash`) to identify all consumers. Use the `overrides` field in `package.json` (npm 8.3+) or `resolutions` (Yarn) to force the patched version across the dependency tree.
- Run `npm audit` (or `yarn audit`) after upgrading to confirm no remaining lodash advisories are reported.
- As a temporary mitigation only if upgrading is blocked: validate and reject any user-supplied property paths that contain `__proto__`, `constructor`, or `prototype` before passing them to lodash functions.
Verification Steps
- Run `npm ls lodash` and confirm all resolved versions are >= 4.17.20.
- Run `npm audit` and verify CVE-2020-8203 / GHSA-p6mc-m468-83gw no longer appears in the output.
- In a test environment, run the PoC: `const _ = require('lodash'); _.zipObjectDeep(['__proto__.z'], [123]); console.log(({}).z);` — on the patched version this should print `undefined`, not `123`.
Code Examples (json)
// package.json — vulnerable
{
"dependencies": {
"lodash": "^3.10.1"
}
}// package.json — fixed
{
"dependencies": {
"lodash": "^4.17.21"
},
"overrides": {
"lodash": "^4.17.21"
}
}Best Practices
- Use `npm audit` or a tool like Snyk/Dependabot in CI to automatically flag vulnerable dependencies before they reach production.
- Pin transitive dependencies using `overrides` (npm) or `resolutions` (Yarn) when direct upgrade is blocked by a dependency conflict.
- Validate and sanitize all user-supplied data before passing it to path-based object manipulation functions, regardless of the library used.
- Prefer `Object.create(null)` for objects used as plain key-value stores to break the prototype chain and limit pollution impact.
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free