Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/lodash@0.5.2

Type npm

Namespace

Name lodash

Version 0.5.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.18.0

Latest_non_vulnerable_version 4.18.0

Affected_by_vulnerabilities

url VCID-aaeg-a8tc-dyd2

vulnerability_id VCID-aaeg-a8tc-dyd2

summary

Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to
Command Injection via the template function.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23337.json

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23337.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23337

reference_id

reference_type

scores

value	0.04314
scoring_system	epss
scoring_elements	0.89097
published_at	2026-06-05T12:55:00Z

value	0.04314
scoring_system	epss
scoring_elements	0.8908
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23337

reference_url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337

reference_url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851

reference_url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-1040724

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-1040724

reference_url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1928937
reference_id	1928937
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1928937

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086
reference_id	985086
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-23337

reference_id

CVE-2021-23337

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-23337

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml

reference_id

CVE-2021-23337.YML

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml

reference_url	https://access.redhat.com/errata/RHSA-2021:2179
reference_id	RHSA-2021:2179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2179

reference_url	https://access.redhat.com/errata/RHSA-2021:2438
reference_id	RHSA-2021:2438
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2438

reference_url	https://access.redhat.com/errata/RHSA-2021:2543
reference_id	RHSA-2021:2543
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2543

reference_url	https://access.redhat.com/errata/RHSA-2021:3459
reference_id	RHSA-2021:3459
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3459

reference_url	https://access.redhat.com/errata/RHSA-2022:6429
reference_id	RHSA-2022:6429
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6429

reference_url	https://access.redhat.com/errata/RHSA-2026:7329
reference_id	RHSA-2026:7329
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7329

fixed_packages

url pkg:npm/lodash@4.17.21

purl pkg:npm/lodash@4.17.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.21

aliases CVE-2021-23337, GHSA-35jh-r3h4-6jhm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aaeg-a8tc-dyd2

url VCID-ac1j-39fz-huf4

vulnerability_id VCID-ac1j-39fz-huf4

summary

lodash prototype pollution
lodash node module before 4.17.5 suffers from a prototype pollution vulnerability via 'defaultsDeep', 'merge', and 'mergeWith' functions, which allows a malicious user to modify the prototype of 'Object' via __proto__, causing the addition or modification of an existing property that will exist on all objects.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3721.json

reference_id

reference_type

scores

value	2.9
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3721.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-3721

reference_id

reference_type

scores

value	0.00249
scoring_system	epss
scoring_elements	0.48318
published_at	2026-06-04T12:55:00Z

value	0.00249
scoring_system	epss
scoring_elements	0.48381
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-3721

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721

reference_url

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_url

https://hackerone.com/reports/310443

reference_id

reference_type

scores

value	2.5
scoring_system	cvssv3
scoring_elements

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/310443

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1545884
reference_id	1545884
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1545884

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/368.json

reference_id

368

reference_type

scores

value	2.5
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/368.json

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890575
reference_id	890575
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890575

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-3721

reference_id

CVE-2018-3721

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-3721

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml

reference_id

CVE-2018-3721.YML

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml

reference_url

https://github.com/advisories/GHSA-fvqr-27wr-82fm

reference_id

GHSA-fvqr-27wr-82fm

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fvqr-27wr-82fm

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url pkg:npm/lodash@4.17.5

purl pkg:npm/lodash@4.17.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-r83z-aktw-sbav

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xvf6-pgw4-nuhu

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.5

aliases CVE-2018-3721, GHSA-fvqr-27wr-82fm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ac1j-39fz-huf4

url VCID-hm3y-cuw8-vfhe

vulnerability_id VCID-hm3y-cuw8-vfhe

summary lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-2950

reference_id

reference_type

scores

value	0.00025
scoring_system	epss
scoring_elements	0.07562
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-2950

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-2950

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-2950

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2453499
reference_id	2453499
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2453499

reference_url	https://github.com/advisories/GHSA-f23m-r3pf-42rh
reference_id	GHSA-f23m-r3pf-42rh
reference_type
scores
url	https://github.com/advisories/GHSA-f23m-r3pf-42rh

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_id

GHSA-xxjr-mmjv-4gpg

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:43:14Z/

url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_url	https://access.redhat.com/errata/RHSA-2026:7378
reference_id	RHSA-2026:7378
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7378

reference_url	https://access.redhat.com/errata/RHSA-2026:7655
reference_id	RHSA-2026:7655
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7655

reference_url	https://access.redhat.com/errata/RHSA-2026:9455
reference_id	RHSA-2026:9455
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9455

fixed_packages

url	pkg:npm/lodash@4.18.0
purl	pkg:npm/lodash@4.18.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.18.0

aliases CVE-2026-2950, GHSA-f23m-r3pf-42rh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hm3y-cuw8-vfhe

url VCID-r83z-aktw-sbav

vulnerability_id VCID-r83z-aktw-sbav

summary

Denial of Service
Prototype pollution attack (lodash / constructor.prototype)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_id

reference_type

scores

value	0.00468
scoring_system	epss
scoring_elements	0.6487
published_at	2026-06-05T12:55:00Z

value	0.00468
scoring_system	epss
scoring_elements	0.64828
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487

reference_url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_url

https://hackerone.com/reports/380873

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/380873

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878
reference_id	1671878
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_id

493

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_id

CVE-2018-16487

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_id

CVE-2018-16487.YML

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

reference_id

GHSA-4xc9-xhrj-v574

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

fixed_packages

url pkg:npm/lodash@4.17.11

purl pkg:npm/lodash@4.17.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.11

aliases CVE-2018-16487, GHSA-4xc9-xhrj-v574

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r83z-aktw-sbav

url VCID-s46z-6pyy-vbhg

vulnerability_id VCID-s46z-6pyy-vbhg

summary

Denial of Service and remote code execution
Functions in Lodash ( merge, mergeWith, defaultsDeep) can modify the prototype of "Object" if given malicious data. This can lead to denial of service or remote code execution.

references

reference_url	https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
reference_id
reference_type
scores
url	https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_url	https://hackerone.com/reports/310443
reference_id
reference_type
scores
url	https://hackerone.com/reports/310443

fixed_packages

url pkg:npm/lodash@4.17.5

purl pkg:npm/lodash@4.17.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-r83z-aktw-sbav

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xvf6-pgw4-nuhu

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.5

aliases GMS-2018-10

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s46z-6pyy-vbhg

url VCID-xwr9-5r2s-vucx

vulnerability_id VCID-xwr9-5r2s-vucx

summary

Prototype Pollution in lodash
Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

references

reference_url

https://access.redhat.com/errata/RHSA-2019:3024

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2019:3024

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_id

reference_type

scores

value	0.18518
scoring_system	epss
scoring_elements	0.9538
published_at	2026-06-05T12:55:00Z

value	0.18518
scoring_system	epss
scoring_elements	0.95372
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744

reference_url

https://github.com/lodash/lodash/pull/4336

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/4336

reference_url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_url	https://security.netapp.com/advisory/ntap-20191004-0005/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20191004-0005/

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_url	https://www.npmjs.com/advisories/1065
reference_id
reference_type
scores
url	https://www.npmjs.com/advisories/1065

reference_url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497
reference_id	1739497
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079
reference_id	933079
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_id

CVE-2019-10744

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_id

CVE-2019-10744.YML

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_id

GHSA-jf85-cpcp-j695

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_url	https://access.redhat.com/errata/RHSA-2020:2362
reference_id	RHSA-2020:2362
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2362

reference_url	https://access.redhat.com/errata/RHSA-2020:2819
reference_id	RHSA-2020:2819
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2819

reference_url	https://access.redhat.com/errata/RHSA-2021:5134
reference_id	RHSA-2021:5134
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5134

reference_url	https://access.redhat.com/errata/RHSA-2022:5101
reference_id	RHSA-2022:5101
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5101

fixed_packages

url pkg:npm/lodash@4.17.12

purl pkg:npm/lodash@4.17.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.12

aliases CVE-2019-10744, GHSA-jf85-cpcp-j695

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xwr9-5r2s-vucx

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@0.5.2

Package Instance