VulnerableCode Package Details - pkg:npm/lodash@1.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1q3j-ebu2-hkd4 Aliases: GMS-2018-10	Denial of Service and remote code execution Functions in Lodash ( merge, mergeWith, defaultsDeep) can modify the prototype of "Object" if given malicious data. This can lead to denial of service or remote code execution.	4.17.5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dzeb-zu9x-g3bq Aliases: CVE-2019-10744 GHSA-jf85-cpcp-j695	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	4.17.12 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fhw1-4c1k-sfh3 Aliases: CVE-2021-23337 GHSA-35jh-r3h4-6jhm	Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.	4.17.21 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s532-7mp1-kyeb Aliases: CVE-2018-16487 GHSA-4xc9-xhrj-v574	Prototype Pollution in lodash Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	4.17.11 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sxth-92xw-zbea Aliases: CVE-2018-3721 GHSA-fvqr-27wr-82fm	Prototype Pollution in lodash Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.	4.17.5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1q3j-ebu2-hkd4
Aliases:
GMS-2018-10

Denial of Service and remote code execution Functions in Lodash ( merge, mergeWith, defaultsDeep) can modify the prototype of "Object" if given malicious data. This can lead to denial of service or remote code execution.

4.17.5
Affected by 7 other vulnerabilities.

VCID-dzeb-zu9x-g3bq
Aliases:
CVE-2019-10744
GHSA-jf85-cpcp-j695

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

4.17.12
Affected by 4 other vulnerabilities.

VCID-fhw1-4c1k-sfh3
Aliases:
CVE-2021-23337
GHSA-35jh-r3h4-6jhm

Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

4.17.21
Affected by 1 other vulnerability.

VCID-s532-7mp1-kyeb
Aliases:
CVE-2018-16487
GHSA-4xc9-xhrj-v574

Prototype Pollution in lodash Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

4.17.11
Affected by 5 other vulnerabilities.

VCID-sxth-92xw-zbea
Aliases:
CVE-2018-3721
GHSA-fvqr-27wr-82fm

Prototype Pollution in lodash Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.

4.17.5
Affected by 7 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:22:20.389755+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2021-23337.yml	38.4.0
2026-04-16T20:55:59.290335+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2019-10744.yml	38.4.0
2026-04-16T20:51:40.451895+00:00	GitLab Importer	Affected by	VCID-s532-7mp1-kyeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-16487.yml	38.4.0
2026-04-16T20:46:41.565038+00:00	GitLab Importer	Affected by	VCID-sxth-92xw-zbea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-3721.yml	38.4.0
2026-04-16T20:41:36.380812+00:00	GitLab Importer	Affected by	VCID-1q3j-ebu2-hkd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/GMS-2018-10.yml	38.4.0
2026-04-16T01:44:03.239262+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.4.0
2026-04-11T22:34:53.016281+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2021-23337.yml	38.3.0
2026-04-11T22:07:00.776552+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2019-10744.yml	38.3.0
2026-04-11T22:02:25.938726+00:00	GitLab Importer	Affected by	VCID-s532-7mp1-kyeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-16487.yml	38.3.0
2026-04-11T21:57:29.734070+00:00	GitLab Importer	Affected by	VCID-sxth-92xw-zbea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-3721.yml	38.3.0
2026-04-11T21:52:12.765624+00:00	GitLab Importer	Affected by	VCID-1q3j-ebu2-hkd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/GMS-2018-10.yml	38.3.0
2026-04-11T13:13:15.675485+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.3.0
2026-04-02T22:46:00.232545+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2021-23337.yml	38.1.0
2026-04-02T22:19:48.164906+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2019-10744.yml	38.1.0
2026-04-02T22:15:30.217461+00:00	GitLab Importer	Affected by	VCID-s532-7mp1-kyeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-16487.yml	38.1.0
2026-04-02T22:10:51.798202+00:00	GitLab Importer	Affected by	VCID-sxth-92xw-zbea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-3721.yml	38.1.0
2026-04-02T22:05:59.740697+00:00	GitLab Importer	Affected by	VCID-1q3j-ebu2-hkd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/GMS-2018-10.yml	38.1.0
2026-04-02T14:04:39.640797+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.1.0
2026-04-01T17:03:54.232812+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2021-23337.yml	38.0.0
2026-04-01T16:37:34.679209+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2019-10744.yml	38.0.0
2026-04-01T16:32:58.435634+00:00	GitLab Importer	Affected by	VCID-s532-7mp1-kyeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-16487.yml	38.0.0
2026-04-01T16:28:11.563072+00:00	GitLab Importer	Affected by	VCID-sxth-92xw-zbea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/CVE-2018-3721.yml	38.0.0
2026-04-01T16:22:58.908660+00:00	GitLab Importer	Affected by	VCID-1q3j-ebu2-hkd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash/GMS-2018-10.yml	38.0.0