CVEFinder.io

CVE-2018-16487

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVSS Score
5.6
Medium
EPSS Score
0.4
Exploit Probability
Published Date
2019-02-01
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 32.6% of all 317,883 vulnerabilities in our database.

#214,351
Below average severity
Severity Percentile
Last Modified 2024-11-21
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE IDs (Weakness Types)
CWE-400

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
lodash lodash Affected
< 4.17.11

πŸ”— References 2

https://hackerone.com/reports/380873
Exploit Issue Tracking Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0...
Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-13465 πŸ”Ά medium 5.3 0.0 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An at... 2026-01-21
CVE-2020-28500 πŸ”Ά medium 5.3 0.3 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim a... 2021-02-15
CVE-2021-23337 ⚠️ high 7.2 0.7 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. 2021-02-15
CVE-2020-8203 ⚠️ high 7.4 2.6 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. 2020-07-15
CVE-2019-10744 β›” critical 9.1 2.4 Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked ... 2019-07-26
CVE-2019-1010266 πŸ”Ά medium 6.5 0.2 lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. Th... 2019-07-17
These CVEs affect the same products