CVE-2019-10744
Description
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
lodash before 4.17.12 vulnerable to prototype pollution via defaultsDeep, allowing property injection on Object.prototype.
Vulnerability
Overview CVE-2019-10744 is a prototype pollution vulnerability in lodash versions prior to 4.17.12. The defaultsDeep function can be exploited by crafting an object with a constructor property that, when merged, pollutes Object.prototype, allowing attackers to add or modify properties of all JavaScript objects [1][4].
Exploitation
An attacker can supply a malicious JSON payload to a function that uses defaultsDeep to merge objects. No authentication is required if the application exposes an endpoint that accepts user-controlled objects for merging. The attack leverages JavaScript's prototype chain: because defaultsDeep recursively merges properties, a __proto__ or constructor.prototype key can be used to traverse to Object.prototype and inject arbitrary properties [2][4].
Impact
Successful exploitation can lead to property injection affecting the entire application. This can result in denial of service (by overriding critical properties), property tampering, or, in some contexts, remote code execution if the polluted properties influence subsequent operations [1][3][4]. Red Hat rated it as a moderate security issue in products like ovirt-web-ui [3].
Mitigation
The vulnerability is fixed in lodash version 4.17.12 [1][2]. Users should update to the latest version or apply the patch provided in the referenced pull request. No workarounds are available for older versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | < 4.17.12 | 4.17.12 |
lodash-esnpm | < 4.17.14 | 4.17.14 |
lodash-amdnpm | < 4.17.13 | 4.17.13 |
lodash.defaultsdeepnpm | < 4.6.1 | 4.6.1 |
lodash-railsRubyGems | < 4.17.12 | 4.17.12 |
Affected products
6- ghsa-coords5 versions
< 4.17.12+ 4 more
- (no CPE)range: < 4.17.12
- (no CPE)range: < 4.17.12
- (no CPE)range: < 4.17.13
- (no CPE)range: < 4.6.1
- (no CPE)range: < 4.17.14
- Snyk/lodashv5Range: All versions prior to 4.17.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- access.redhat.com/errata/RHSA-2019:3024ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jf85-cpcp-j695ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10744ghsaADVISORY
- github.com/lodash/lodash/pull/4336ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.ymlghsaWEB
- security.netapp.com/advisory/ntap-20191004-0005ghsaWEB
- security.netapp.com/advisory/ntap-20191004-0005/mitrex_refsource_CONFIRM
- snyk.io/vuln/SNYK-JS-LODASH-450202ghsax_refsource_CONFIRMWEB
- support.f5.com/csp/article/K47105354ghsax_refsource_CONFIRMWEB
- support.f5.com/csp/article/K47105354ghsaWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.