express-oauth-server icon indicating copy to clipboard operation
express-oauth-server copied to clipboard
verified publisher icon oauthjs

Please fix vulnerabilities/warning "Versions of lodash before 4.17.5 are vulnerable to prototype pollution"

Open ajaybhalerao-eaton opened this issue 5 years ago • 2 comments

Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

PFA.

Remediation Update to version 4.17.11 or later.

https://www.npmjs.com/advisories result.txt /782

ajaybhalerao-eaton avatar Aug 13 '20 06:08 ajaybhalerao-eaton

Can we not do it manually?

ashish1497 avatar Nov 16 '20 06:11 ashish1497

Doing it manual way is bit of challenge, due to multiple dependencies. Also, i have CI/CD pipeline set up for installation, doing it manual way, is bit of challenge.

ajaybhalerao-eaton avatar Nov 18 '20 04:11 ajaybhalerao-eaton