{"id":"CVE-2020-8203","details":"Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.","aliases":["GHSA-p6mc-m468-83gw"],"modified":"2026-04-02T06:15:05.696501Z","published":"2020-07-15T17:15:11.797Z","references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200724-0006/"},{"type":"REPORT","url":"https://github.com/lodash/lodash/issues/4874"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/712065"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lodash/lodash","events":[{"introduced":"0"},{"fixed":"f2e7063ee409ff40a60b14370c58dceee1a2efd4"},{"introduced":"0"},{"last_affected":"0847978784a28c9618a827e19220451e1eb5257f"},{"introduced":"0"},{"last_affected":"343b869a6880825a2397427668fbc64d82a060a6"},{"introduced":"0"},{"last_affected":"343b869a6880825a2397427668fbc64d82a060a6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.20"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.3.0"},{"introduced":"0"},{"last_affected":"pcz3.3"}]}}],"versions":["3.0.0-npm","3.0.0-npm-packages","3.0.1-npm","3.0.1-npm-packages","3.0.2-npm-packages","3.0.3-npm-packages","3.0.4-npm-packages","3.0.5-npm-packages","3.0.6-npm-packages","3.0.7-npm-packages","3.0.8-npm-packages","3.0.9-npm-packages","3.1.0-npm","3.1.0-npm-packages","3.1.1-npm-packages","3.1.2-npm-packages","3.1.3-npm-packages","3.1.4-npm-packages","3.1.5-npm-packages","3.1.6-npm-packages","3.1.7-npm-packages","3.10.0-npm","3.10.1-npm","3.2.0-npm","3.2.0-npm-packages","3.3.0-npm","3.3.1-npm","3.4.0-npm","3.5.0-npm","3.6.0-npm","3.7.0-npm","3.8.0-npm","3.9.0-npm","3.9.1-npm","3.9.2-npm","3.9.3-npm","4.0.0-npm","4.0.1-npm","4.1.0-npm","4.10.0-npm","4.11.0-npm","4.11.1-npm","4.11.2-npm","4.12.0-npm","4.13.0-npm","4.13.1-npm","4.14.0-npm","4.14.1-npm","4.14.2-npm","4.15.0-npm","4.16.0-npm","4.16.1-npm","4.16.2-npm","4.16.3-npm","4.16.4-npm","4.16.5-npm","4.16.6-npm","4.17.0-npm","4.17.1-npm","4.17.10-npm","4.17.11-npm","4.17.12-npm","4.17.13-npm","4.17.14-npm","4.17.15-npm","4.17.2-npm","4.17.3-npm","4.17.4-npm","4.17.5-npm","4.17.9-npm","4.2.0-npm","4.2.1-npm","4.3.0-npm","4.4.0-npm","4.5.0-npm","4.5.1-npm","4.6.0-npm","4.6.1-npm","4.7.0-npm","4.8.0-npm","4.8.1-npm","4.8.2-npm","4.9.0-npm"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"fixed":"21.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5.0.23.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"cz8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"cz8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"cz8.3"}]},{"events":[{"introduced":"0"},{"last_affected":"cz8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.12"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.11"}]},{"events":[{"introduced":"20.12.0"},{"last_affected":"20.12.7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8203.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}