VulnerableCode Package Details - pkg:npm/lodash.mergewith@4.6.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dzeb-zu9x-g3bq	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	CVE-2019-10744 GHSA-jf85-cpcp-j695
VCID-qv9d-jc3u-z7av	Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.	GHSA-779f-wgxg-qr8f GMS-2020-355

Vulnerability

Summary

Aliases

VCID-dzeb-zu9x-g3bq

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

CVE-2019-10744
GHSA-jf85-cpcp-j695

VCID-qv9d-jc3u-z7av

Prototype Pollution in lodash.mergewith Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. ## Recommendation Update to version 4.6.2 or later.

GHSA-779f-wgxg-qr8f
GMS-2020-355

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:10:11.243778+00:00	GitLab Importer	Fixing	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.4.0
2026-04-11T22:21:59.522399+00:00	GitLab Importer	Fixing	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.3.0
2026-04-02T22:34:01.898645+00:00	GitLab Importer	Fixing	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.1.0
2026-04-02T12:37:14.463894+00:00	GitLab Importer	Fixing	VCID-qv9d-jc3u-z7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/GMS-2020-355.yml	38.0.0
2026-04-01T15:58:34.816567+00:00	GHSA Importer	Fixing	VCID-qv9d-jc3u-z7av	https://github.com/advisories/GHSA-779f-wgxg-qr8f	38.0.0
2026-04-01T12:59:52.231064+00:00	GithubOSV Importer	Fixing	VCID-qv9d-jc3u-z7av	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-779f-wgxg-qr8f/GHSA-779f-wgxg-qr8f.json	38.0.0
2026-04-01T12:48:33.952560+00:00	GitLab Importer	Fixing	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.mergewith/CVE-2019-10744.yml	38.0.0