{"id":"CVE-2019-10744","details":"Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.","aliases":["GHSA-jf85-cpcp-j695"],"modified":"2026-04-10T04:13:55.063415Z","published":"2019-07-26T00:15:11.217Z","related":["SNYK-JS-LODASH-450202"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20191004-0005/"},{"type":"ADVISORY","url":"https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3024"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-LODASH-450202"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lodash/lodash","events":[{"introduced":"0"},{"fixed":"793f983629f5ccef831360f4d31881bbf6264f8b"},{"introduced":"0"},{"last_affected":"607a8b40755600d249e199fa7e573ef1c6acb72d"},{"introduced":"0"},{"last_affected":"44b3ce708218d675d3b4b8a5d39ddab5ae90a6a9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.12"},{"introduced":"0"},{"last_affected":"4.3"},{"introduced":"0"},{"last_affected":"2.3.0"}]}}],"versions":["0.1.0","0.10.0","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.2","0.4.0","0.4.1","0.4.2","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","0.7.0","0.8.0","0.8.1","0.8.2","0.9.0","0.9.1","0.9.2","1.0.0","1.0.0-rc.1","1.0.0-rc.2","1.0.0-rc.3","1.0.1","1.1.0","2.3.0","3.0.0-npm","3.0.0-npm-packages","3.0.1-npm","3.0.1-npm-packages","3.0.2-npm-packages","3.0.3-npm-packages","3.0.4-npm-packages","3.0.5-npm-packages","3.0.6-npm-packages","3.0.7-npm-packages","3.0.8-npm-packages","3.0.9-npm-packages","3.1.0-npm","3.1.0-npm-packages","3.1.1-npm-packages","3.1.2-npm-packages","3.1.3-npm-packages","3.1.4-npm-packages","3.1.5-npm-packages","3.1.6-npm-packages","3.1.7-npm-packages","3.10.0-npm","3.10.0-npm-packages","3.10.1-npm","3.10.1-npm-packages","3.10.2-npm-packages","3.10.3-npm-packages","3.11.0-npm-packages","3.2.0-npm","3.2.0-npm-packages","3.2.1-npm-packages","3.2.2-npm-packages","3.2.3-npm-packages","3.3.0-npm","3.3.0-npm-packages","3.3.1-npm","3.3.1-npm-packages","3.3.2-npm-packages","3.3.3-npm-packages","3.3.4-npm-packages","3.3.5-npm-packages","3.3.6-npm-packages","3.3.7-npm-packages","3.4.0-npm","3.4.0-npm-packages","3.4.1-npm-packages","3.4.2-npm-packages","3.4.3-npm-packages","3.4.4-npm-packages","3.5.0-npm","3.5.0-npm-packages","3.5.1-npm-packages","3.5.2-npm-packages","3.5.3-npm-packages","3.6.0-npm","3.6.0-npm-packages","3.6.1-npm-packages","3.6.2-npm-packages","3.7.0-npm","3.7.0-npm-packages","3.7.1-npm-packages","3.7.2-npm-packages","3.7.3-npm-packages","3.7.4-npm-packages","3.8.0-npm","3.8.0-npm-packages","3.8.1-npm-packages","3.8.2-npm-packages","3.9.0-npm","3.9.0-npm-packages","3.9.1-npm","3.9.1-npm-packages","3.9.2-npm","3.9.2-npm-packages","3.9.3-npm","4.0.0-npm","4.0.0-npm-packages","4.0.1-npm","4.0.1-npm-packages","4.0.2-npm-packages","4.0.3-npm-packages","4.0.4-npm-packages","4.0.5-npm-packages","4.0.6-npm-packages","4.0.7-npm-packages","4.0.8-npm-packages","4.0.9-npm-packages","4.1.0-npm","4.1.0-npm-packages","4.1.1-npm-packages","4.1.2-npm-packages","4.1.3-npm-packages","4.1.4-npm-packages","4.1.5-npm-packages","4.10.0-npm","4.11.0-npm","4.11.1-npm","4.11.2-npm","4.12.0-npm","4.13.0-npm","4.13.1-npm","4.14.0-npm","4.14.1-npm","4.14.2-npm","4.15.0-npm","4.16.0-npm","4.16.1-npm","4.16.2-npm","4.16.3-npm","4.16.4-npm","4.16.5-npm","4.16.6-npm","4.17.0-npm","4.17.1-npm","4.17.10-npm","4.17.11-npm","4.17.2-npm","4.17.3-npm","4.17.4-npm","4.17.5-npm","4.17.9-npm","4.2.0-npm","4.2.0-npm-packages","4.2.1-npm","4.2.1-npm-packages","4.2.2-npm-packages","4.2.3-npm-packages","4.2.4-npm-packages","4.2.5-npm-packages","4.3.0-npm","4.3.0-npm-packages","4.4.0-npm","4.5.0-npm","4.5.1-npm","4.6.0-npm","4.6.1-npm","4.7.0-npm","4.8.0-npm","4.8.1-npm","4.8.2-npm","4.9.0-npm"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10744.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.4.0"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"last_affected":"12.1.5"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.3"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.2"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.3"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.3"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.1"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"12.1.0"},{"fixed":"12.1.5.2"}]},{"events":[{"introduced":"13.1.0"},{"fixed":"13.1.3.4"}]},{"events":[{"introduced":"14.1.0"},{"fixed":"14.1.2.5"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"15.1.0"},{"fixed":"15.1.0.2"}]},{"events":[{"introduced":"6.0.0"},{"last_affected":"6.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}