VulnerableCode Package Details - pkg:npm/lodash.mergewith@4.6.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-dzeb-zu9x-g3bq Aliases: CVE-2019-10744 GHSA-jf85-cpcp-j695	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	4.6.2 Affected by 0 other vulnerabilities.
VCID-qv9d-jc3u-z7av Aliases: GHSA-779f-wgxg-qr8f GMS-2020-355	Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.	4.6.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dzeb-zu9x-g3bq
Aliases:
CVE-2019-10744
GHSA-jf85-cpcp-j695

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

4.6.2
Affected by 0 other vulnerabilities.

VCID-qv9d-jc3u-z7av
Aliases:
GHSA-779f-wgxg-qr8f
GMS-2020-355

Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.

4.6.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hzca-pejv-sffd	Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.1 are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.1 or later.	GHSA-5947-m4fg-xhqg GMS-2020-354

Vulnerability

Summary

Aliases

VCID-hzca-pejv-sffd

Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.1 are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.1 or later.

GHSA-5947-m4fg-xhqg
GMS-2020-354

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:10:11.240157+00:00	GitLab Importer	Affected by	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.4.0
2026-04-16T21:08:55.821509+00:00	GitLab Importer	Fixing	VCID-hzca-pejv-sffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-354.yml	38.4.0
2026-04-16T20:56:01.108653+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/CVE-2019-10744.yml	38.4.0
2026-04-11T22:21:59.518815+00:00	GitLab Importer	Affected by	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.3.0
2026-04-11T22:20:41.225230+00:00	GitLab Importer	Fixing	VCID-hzca-pejv-sffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-354.yml	38.3.0
2026-04-11T22:07:02.668437+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/CVE-2019-10744.yml	38.3.0
2026-04-02T22:34:01.895422+00:00	GitLab Importer	Affected by	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.1.0
2026-04-02T22:32:41.475398+00:00	GitLab Importer	Fixing	VCID-hzca-pejv-sffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-354.yml	38.1.0
2026-04-02T22:19:49.828264+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/CVE-2019-10744.yml	38.1.0
2026-04-02T12:37:10.344659+00:00	GitLab Importer	Fixing	VCID-hzca-pejv-sffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-354.yml	38.0.0
2026-04-01T16:37:36.630913+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/CVE-2019-10744.yml	38.0.0
2026-04-01T15:58:34.775264+00:00	GHSA Importer	Fixing	VCID-hzca-pejv-sffd	https://github.com/advisories/GHSA-5947-m4fg-xhqg	38.0.0
2026-04-01T12:59:53.931263+00:00	GithubOSV Importer	Fixing	VCID-hzca-pejv-sffd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5947-m4fg-xhqg/GHSA-5947-m4fg-xhqg.json	38.0.0