CVE-2020-8203
Description
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in lodash's _.zipObjectDeep allows attackers to set arbitrary properties on Object.prototype, leading to potential remote code execution or denial of service.
Vulnerability
The _.zipObjectDeep function in lodash versions before 4.17.20 is vulnerable to prototype pollution [1]. Prototype pollution is a JavaScript vulnerability that allows an attacker to inject properties into an object's prototype chain, typically Object.prototype. If a maliciously crafted object is passed to _.zipObjectDeep, it can set arbitrary properties on the global prototype, affecting all objects in the application.
Exploitation
Exploitation requires the attacker to control the input passed to _.zipObjectDeep. This is commonly achieved through user-supplied data that is later processed by this function without proper sanitization. No authentication is needed if the vulnerable function is exposed to untrusted input via web forms, APIs, or other data ingestion points. The specific vector involves creating a path that includes __proto__ or constructor.prototype to traverse and modify the prototype chain [2][3][4].
Impact
Successful exploitation allows the attacker to pollute the prototype chain, which can lead to a variety of severe consequences. These include denial of service (by overwriting critical object methods), property injection that may enable code execution, and in some contexts, privilege escalation or bypass of security checks. The real-world impact depends on how the application uses the polluted prototypes—many lodash-based applications are at risk of remote code execution if attackers can control the properties that are later accessed or used in dynamic code execution paths.
Mitigation
Lodash released a fix in version 4.17.20 [1]. Users should upgrade to this version or later. No workaround is available for earlier versions aside from patching the function or avoiding the use of _.zipObjectDeep with untrusted input. The vulnerability has been publicly documented and is referenced in NVD [2] and GitHub issues [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | >= 3.7.0, < 4.17.19 | 4.17.19 |
lodash-esnpm | >= 3.7.0, < 4.17.20 | 4.17.20 |
lodash.picknpm | >= 4.0.0, <= 4.4.0 | — |
lodash.setnpm | >= 3.7.0, <= 4.3.2 | — |
lodash.setwithnpm | <= 4.3.2 | — |
lodash.updatenpm | <= 4.10.2 | — |
lodash.updatewithnpm | <= 4.10.2 | — |
lodash-railsRubyGems | >= 3.7.0, < 4.17.19 | 4.17.19 |
Affected products
9- lodash/lodashdescription
- ghsa-coords8 versionspkg:gem/lodash-railspkg:npm/lodashpkg:npm/lodash-espkg:npm/lodash.pickpkg:npm/lodash.setpkg:npm/lodash.setwithpkg:npm/lodash.updatepkg:npm/lodash.updatewith
>= 3.7.0, < 4.17.19+ 7 more
- (no CPE)range: >= 3.7.0, < 4.17.19
- (no CPE)range: >= 3.7.0, < 4.17.19
- (no CPE)range: >= 3.7.0, < 4.17.20
- (no CPE)range: >= 4.0.0, <= 4.4.0
- (no CPE)range: >= 3.7.0, <= 4.3.2
- (no CPE)range: <= 4.3.2
- (no CPE)range: <= 4.10.2
- (no CPE)range: <= 4.10.2
Patches
1c84fe82760fbfix(zipObjectDeep): prototype pollution (#4759)
2 files changed · +37 −0
lodash.js+4 −0 modified@@ -3990,6 +3990,10 @@ var key = toKey(path[index]), newValue = value; + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + return object; + } + if (index != lastIndex) { var objValue = nested[key]; newValue = customizer ? customizer(objValue, key, nested) : undefined;
test/test.js+33 −0 modified@@ -25799,6 +25799,39 @@ }); }); + // zipObjectDeep prototype pollution + ['__proto__', 'constructor', 'prototype'].forEach(function (keyToTest) { + QUnit.test('zipObjectDeep is not setting ' + keyToTest + ' on global', function (assert) { + assert.expect(1); + + _.zipObjectDeep([keyToTest + '.a'], ['newValue']); + // Can't access plain `a` as it's not defined and test fails + assert.notEqual(root['a'], 'newValue'); + }); + + QUnit.test('zipObjectDeep is not overwriting ' + keyToTest + ' on vars', function (assert) { + assert.expect(3); + + const b = 'oldValue' + _.zipObjectDeep([keyToTest + '.b'], ['newValue']); + assert.equal(b, 'oldValue'); + assert.notEqual(root['b'], 'newValue'); + + // ensure nothing was created + assert.notOk(root['b']); + }); + + QUnit.test('zipObjectDeep is not overwriting global.' + keyToTest, function (assert) { + assert.expect(2); + + _.zipObjectDeep([root + '.' + keyToTest + '.c'], ['newValue']); + assert.notEqual(root['c'], 'newValue'); + + // ensure nothing was created + assert.notOk(root['c']); + }); + }); + /*--------------------------------------------------------------------------*/ QUnit.module('lodash.zipWith');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- github.com/advisories/GHSA-p6mc-m468-83gwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8203ghsaADVISORY
- github.com/github/advisory-database/pull/2884ghsaWEB
- github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12ghsaWEB
- github.com/lodash/lodash/issues/4744ghsaWEB
- github.com/lodash/lodash/issues/4874ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.ymlghsaWEB
- hackerone.com/reports/712065ghsax_refsource_MISCWEB
- hackerone.com/reports/864701ghsaWEB
- security.netapp.com/advisory/ntap-20200724-0006ghsaWEB
- security.netapp.com/advisory/ntap-20200724-0006/mitrex_refsource_CONFIRM
- web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuApr2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujan2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuoct2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.