Pwn0sec research team discovers severe Improper Input Validation Prototype Pollution security vulnerabilities

2 min readSep 2, 2023

7.11 version.

About lodash security vulnerability

The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. Following is an example of how this vulnerability will impact a JavaScript application:

const mergeFn = require('lodash').defaultsDeep;
const payload = '{"constructor": {"prototype": {"a0": true}}}'

function check() {
mergeFn({}, JSON.parse(payload));
if (({})[`a0`] === true) {
console.log(`Vulnerable to Prototype Pollution via ${payload}`);


After covering the basics of prototype pollutions, we can refer to the actual security fix that pwn0sec’s engineer Kirill had PRed to the lodash JavaScript library repository on GitHub at

The fix includes a safety check to ensure that we’re not polluting the global object based on a key that is set to constructor. A test case is also added to ensure no future regressions occur.

What should I do

  • If you’re already using Pwn0sec to monitor your applications, you will have already automatically protect yourself by applying the aforementioned security patch sent to you as a PR to your affected projects.
  • If you do not use Pwn0sec , you can add your projects, by creating a free account and importing your projects from your code repositories into the Pwn0sec dashboard. Upon seeing the results of your Pwn0 sectest scan, you can go ahead and have Pwn0sec create a Pull Request that will remediate your vulnerable lodash library by applying a Pwn0sec patch.
  • There isn’t currently an easy manual fix until a new version of lodash, containing the fix is released, at which point you should upgrade to the new version.
  • Pwn0sec creates patches for high impact vulnerabilities, such as the case with lodash that affects millions of projects across Node.js and JavaScript ecosystems. All patches are tested rigorously in a process that ensures they apply well on supported versions of the affected library.
Copyright @Pwn0sec 2014 Cyber security researcher




father, spare time hacker with a background in software development and penetration tester experience. H1: @private