High severityNVD Advisory· Published Feb 1, 2019· Updated Aug 5, 2024
CVE-2018-16487
CVE-2018-16487
Description
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | < 4.17.11 | 4.17.11 |
lodash-railsRubyGems | < 4.17.11 | 4.17.11 |
Affected products
3- ghsa-coords2 versions
< 4.17.11+ 1 more
- (no CPE)range: < 4.17.11
- (no CPE)range: < 4.17.11
- HackerOne/lodashv5Range: <4.7.11
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-4xc9-xhrj-v574ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16487ghsaADVISORY
- github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2adghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.ymlghsaWEB
- hackerone.com/reports/380873ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20190919-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190919-0004/mitrex_refsource_CONFIRM
News mentions
1- Axios: Nine CVEs Disclosed Together — Prototype Pollution, Proxy Leaks, and Bypasses Fixed in 1.16.0Vypr Intelligence · Jun 11, 2026