A significant security vulnerability has surfaced in Lodash, a widely utilized JavaScript library employed in over four million projects on GitHub alone. This issue poses a high risk, allowing attackers to potentially jeopardize the services leveraging this library and impact their user bases significantly.
Lodash, accessible at lodash.com, offers developers various tools that streamline programming tasks involving strings, numbers, arrays, functions, and objects. The library is fundamental for many developers aiming to enhance the efficiency of their JavaScript code.
Recently, Liran Tal, a developer advocate at the open-source security platform Snyk, disclosed details regarding a critical prototype pollution vulnerability that affects all versions of Lodash, including the latest release, version 4.17.11. This vulnerability, cataloged as CVE-2019-10744, has the potential to impact numerous frontend projects, given Lodash’s staggering download rate of over 80 million per month.
Prototype pollution enables malicious actors to alter a web application’s JavaScript object prototype. These prototypes serve as structures that safeguard applications from unexpected behavior when no values are defined. However, an attacker could inject properties into existing JavaScript prototypes, manipulating these attributes to overwrite or corrupt them. Such actions might disrupt the application’s processing of JavaScript objects through the prototype hierarchy, potentially leading to denial-of-service situations or even allowing remote code execution.
According to Tal, among the vulnerable functions is “defaultsDeep,” a component within the Lodash library. This function could be coerced into adding or modifying properties of Object.prototype through a specially crafted constructor payload. Depending on the scenario, this can result in a web application crashing or exhibiting undesired behavior.
Exploiting prototype pollution vulnerabilities often requires deep understanding of the specific application being targeted, making such attacks complex. Tal reported the vulnerability to John Dalton, the maintainer of Lodash, who has been informed of suggested fixes that can be found in two pull requests (1 and 2). These fixes are expected to be integrated into an upcoming version of the library.
For organizations utilizing Lodash in their projects, prompt action is advised. Developers should prepare to update their libraries upon the release of the official patch or consider applying the fixes manually to mitigate the threat posed by this vulnerability.