{"id":"CVE-2018-16487","details":"A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.","aliases":["GHSA-4xc9-xhrj-v574"],"modified":"2026-03-14T09:28:12.805675Z","published":"2019-02-01T18:29:00.943Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190919-0004/"},{"type":"REPORT","url":"https://hackerone.com/reports/380873"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lodash/lodash","events":[{"introduced":"0"},{"fixed":"3e273e915d1c4176a987fa6ad65e849f59d60453"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.11"}]}}],"versions":["3.0.0-npm","3.0.1-npm","3.1.0-npm","3.10.0-npm","3.10.1-npm","3.2.0-npm","3.3.0-npm","3.3.1-npm","3.4.0-npm","3.5.0-npm","3.6.0-npm","3.7.0-npm","3.8.0-npm","3.9.0-npm","3.9.1-npm","3.9.2-npm","3.9.3-npm","4.0.0-npm","4.0.1-npm","4.1.0-npm","4.10.0-npm","4.11.0-npm","4.11.1-npm","4.11.2-npm","4.12.0-npm","4.13.0-npm","4.13.1-npm","4.14.0-npm","4.14.1-npm","4.14.2-npm","4.15.0-npm","4.16.0-npm","4.16.1-npm","4.16.2-npm","4.16.3-npm","4.16.4-npm","4.16.5-npm","4.16.6-npm","4.17.0-npm","4.17.1-npm","4.17.10-npm","4.17.2-npm","4.17.3-npm","4.17.4-npm","4.17.5-npm","4.17.9-npm","4.2.0-npm","4.2.1-npm","4.3.0-npm","4.4.0-npm","4.5.0-npm","4.5.1-npm","4.6.0-npm","4.6.1-npm","4.7.0-npm","4.8.0-npm","4.8.1-npm","4.8.2-npm","4.9.0-npm"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}