{"id":"CVE-2018-3721","details":"lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.","aliases":["GHSA-fvqr-27wr-82fm"],"modified":"2026-03-13T23:19:58.503459Z","published":"2018-06-07T02:29:08.317Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190919-0004/"},{"type":"FIX","url":"https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/310443"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lodash/lodash","events":[{"introduced":"0"},{"fixed":"0e314104d6f37539ed08820d8547cdd953451657"},{"fixed":"d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.5"}]}}],"versions":["0.1.0","0.10.0","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.2","0.4.0","0.4.1","0.4.2","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","0.7.0","0.8.0","0.8.1","0.8.2","0.9.0","0.9.1","0.9.2","1.0.0","1.0.0-rc.1","1.0.0-rc.2","1.0.0-rc.3","1.0.1","1.1.0","3.0.0","3.0.0-npm","3.0.1","3.0.1-npm","3.1.0","3.1.0-npm","3.10.0-npm","3.10.1","3.10.1-npm","3.2.0","3.2.0-npm","3.3.0","3.3.0-npm","3.3.1","3.3.1-npm","3.4.0","3.4.0-npm","3.5.0","3.5.0-npm","3.6.0","3.6.0-npm","3.7.0","3.7.0-npm","3.8.0","3.8.0-npm","3.9.0","3.9.0-npm","3.9.1-npm","3.9.2","3.9.2-npm","3.9.3","3.9.3-npm","4.0.0","4.0.0-npm","4.0.1","4.0.1-npm","4.1.0","4.1.0-npm","4.10.0","4.10.0-npm","4.11.0","4.11.0-npm","4.11.1","4.11.1-npm","4.11.2","4.11.2-npm","4.12.0","4.12.0-npm","4.13.0","4.13.0-npm","4.13.1","4.13.1-npm","4.14.0","4.14.0-npm","4.14.1","4.14.1-npm","4.14.2","4.14.2-npm","4.15.0","4.15.0-npm","4.16.0","4.16.0-npm","4.16.1","4.16.1-npm","4.16.2","4.16.2-npm","4.16.3","4.16.3-npm","4.16.4","4.16.4-npm","4.16.5","4.16.5-npm","4.16.6","4.16.6-npm","4.17.0","4.17.0-npm","4.17.1","4.17.1-npm","4.17.2","4.17.2-npm","4.17.3","4.17.3-npm","4.17.4","4.17.4-npm","4.2.0","4.2.0-npm","4.2.1","4.2.1-npm","4.3.0","4.3.0-npm","4.4.0","4.4.0-npm","4.5.0","4.5.0-npm","4.5.1","4.5.1-npm","4.6.0","4.6.0-npm","4.6.1","4.6.1-npm","4.7.0","4.7.0-npm","4.8.0","4.8.0-npm","4.8.1","4.8.1-npm","4.8.2","4.8.2-npm","4.9.0","4.9.0-npm"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3721.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}