VulnerableCode Package Details - pkg:npm/lodash.merge@4.6.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-87ec-1ejh-quh3 Aliases: GHSA-h726-x36v-rx45 GMS-2020-353	Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.	4.6.2 Affected by 0 other vulnerabilities.
VCID-dzeb-zu9x-g3bq Aliases: CVE-2019-10744 GHSA-jf85-cpcp-j695	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	4.6.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-87ec-1ejh-quh3
Aliases:
GHSA-h726-x36v-rx45
GMS-2020-353

Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.

4.6.2
Affected by 0 other vulnerabilities.

VCID-dzeb-zu9x-g3bq
Aliases:
CVE-2019-10744
GHSA-jf85-cpcp-j695

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

4.6.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mzmf-nmeu-zyej	Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.1 or later.	GHSA-2m96-9w4j-wgv7 GMS-2020-352

Vulnerability

Summary

Aliases

VCID-mzmf-nmeu-zyej

Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.1 or later.

GHSA-2m96-9w4j-wgv7
GMS-2020-352

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:10:10.406397+00:00	GitLab Importer	Affected by	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.4.0
2026-04-16T21:08:44.950902+00:00	GitLab Importer	Fixing	VCID-mzmf-nmeu-zyej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-352.yml	38.4.0
2026-04-16T20:56:00.909758+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/CVE-2019-10744.yml	38.4.0
2026-04-11T22:21:58.980813+00:00	GitLab Importer	Affected by	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.3.0
2026-04-11T22:20:29.309422+00:00	GitLab Importer	Fixing	VCID-mzmf-nmeu-zyej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-352.yml	38.3.0
2026-04-11T22:07:02.431902+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/CVE-2019-10744.yml	38.3.0
2026-04-02T22:34:01.066883+00:00	GitLab Importer	Affected by	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.1.0
2026-04-02T22:32:28.326703+00:00	GitLab Importer	Fixing	VCID-mzmf-nmeu-zyej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-352.yml	38.1.0
2026-04-02T22:19:49.622471+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/CVE-2019-10744.yml	38.1.0
2026-04-02T12:37:09.834314+00:00	GitLab Importer	Fixing	VCID-mzmf-nmeu-zyej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-352.yml	38.0.0
2026-04-01T16:37:36.408550+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/CVE-2019-10744.yml	38.0.0
2026-04-01T15:58:34.735777+00:00	GHSA Importer	Fixing	VCID-mzmf-nmeu-zyej	https://github.com/advisories/GHSA-2m96-9w4j-wgv7	38.0.0
2026-04-01T12:59:32.001444+00:00	GithubOSV Importer	Fixing	VCID-mzmf-nmeu-zyej	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2m96-9w4j-wgv7/GHSA-2m96-9w4j-wgv7.json	38.0.0