lodash lodash CVE-2018-3721 in Lodash and NetApp Products
Published on June 7, 2018

product logo product logo
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

NVD

Weakness Type

What is a MAID Vulnerability?

The software does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.

CVE-2018-3721 has been classified to as a MAID vulnerability or weakness.


Products Associated with CVE-2018-3721

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2018-3721 are published in these products:

Lodash
 
NetApp Active Iq Unified Manager
 
NetApp System Manager
 

Affected Versions

HackerOne lodash node module Version Versions before 4.17.5 is affected by CVE-2018-3721

Exploit Probability

EPSS
0.25%
Percentile
48.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.