CVE-2018-16487
Description
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lodash versions before 4.17.11 allow prototype pollution via merge, mergeWith, and defaultsDeep functions.
Vulnerability
A prototype pollution vulnerability exists in lodash versions prior to 4.17.11. The functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype when processing specially crafted objects [1]. This occurs because the internal safeGet helper did not properly guard against keys like __proto__ or prototype [3].
Exploitation
An attacker can supply a malicious object with a __proto__ or prototype key to any of the affected functions. For example, calling _.merge({}, JSON.parse('{"__proto__": {"polluted": true}}')) will set Object.prototype.polluted to true [2]. No special privileges are required; the attacker only needs to control the input passed to these functions.
Impact
Successful exploitation pollutes the global Object.prototype, which can lead to unexpected behavior across the application. This may enable property injection, denial of service, or in some contexts privilege escalation, depending on how the polluted property is used by other code [1].
Mitigation
Upgrade to lodash version 4.17.11 or later, which includes the fix in commit 90e6199 [3]. The fix extends the safeGet function to also reject the prototype key when it equals the object's prototype [3]. No workaround is available for older versions; updating is the only reliable mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | < 4.17.11 | 4.17.11 |
lodash-railsRubyGems | < 4.17.11 | 4.17.11 |
Affected products
3- ghsa-coords2 versions
< 4.17.11+ 1 more
- (no CPE)range: < 4.17.11
- (no CPE)range: < 4.17.11
- HackerOne/lodashv5Range: <4.7.11
Patches
190e6199a161bEnsure Object.prototype is not augmented by _.merge.
2 files changed · +34 −14
lodash.js+23 −14 modified@@ -1224,20 +1224,6 @@ return result; } - /** - * Gets the value at `key`, unless `key` is "__proto__". - * - * @private - * @param {Object} object The object to query. - * @param {string} key The key of the property to get. - * @returns {*} Returns the property value. - */ - function safeGet(object, key) { - return key == '__proto__' - ? undefined - : object[key]; - } - /** * Converts `set` to an array of its values. * @@ -6618,6 +6604,29 @@ return array; } + /** + * Gets the value at `key`, unless `key` is "__proto__" or "prototype". + * + * @private + * @param {Object} object The object to query. + * @param {string} key The key of the property to get. + * @returns {*} Returns the property value. + */ + function safeGet(object, key) { + if (key == '__proto__') { + return; + } + + var value = object[key]; + + if (key == 'prototype' && + value === objectProto) { + return; + } + + return value; + } + /** * Sets metadata for `func`. *
test/test.js+11 −0 modified@@ -7554,6 +7554,17 @@ skipAssert(assert); } }); + + QUnit.test('should not merge `Object.prototype` properties', function(assert) { + assert.expect(1); + + _.merge({}, { 'constructor': { 'prototype': { 'a': 1 } } }); + + var actual = 'a' in objectProto; + delete objectProto.a; + + assert.notOk(actual); + }); }()); /*--------------------------------------------------------------------------*/
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4xc9-xhrj-v574ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16487ghsaADVISORY
- github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2adghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.ymlghsaWEB
- hackerone.com/reports/380873ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20190919-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190919-0004/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.