VulnerableCode Package Details - pkg:npm/lodash.merge@4.6.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-87ec-1ejh-quh3	Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.	GHSA-h726-x36v-rx45 GMS-2020-353
VCID-dzeb-zu9x-g3bq	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	CVE-2019-10744 GHSA-jf85-cpcp-j695

Vulnerability

Summary

Aliases

VCID-87ec-1ejh-quh3

Prototype Pollution in lodash.merge Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.

GHSA-h726-x36v-rx45
GMS-2020-353

VCID-dzeb-zu9x-g3bq

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

CVE-2019-10744
GHSA-jf85-cpcp-j695

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:10:10.409685+00:00	GitLab Importer	Fixing	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.4.0
2026-04-11T22:21:58.984885+00:00	GitLab Importer	Fixing	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.3.0
2026-04-02T22:34:01.070207+00:00	GitLab Importer	Fixing	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.1.0
2026-04-02T12:37:14.424532+00:00	GitLab Importer	Fixing	VCID-87ec-1ejh-quh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/GMS-2020-353.yml	38.0.0
2026-04-01T15:58:34.715792+00:00	GHSA Importer	Fixing	VCID-87ec-1ejh-quh3	https://github.com/advisories/GHSA-h726-x36v-rx45	38.0.0
2026-04-01T12:59:48.537277+00:00	GithubOSV Importer	Fixing	VCID-87ec-1ejh-quh3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-h726-x36v-rx45/GHSA-h726-x36v-rx45.json	38.0.0
2026-04-01T12:48:33.933749+00:00	GitLab Importer	Fixing	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.merge/CVE-2019-10744.yml	38.0.0