lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00187Percentile:
0.40863
CVSS Scoring
CVSS v3.1 Score: 6.5
Severity: MEDIUM
Mapped CWE(s)
CWE-1321
: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-471
: Modification of Assumed-Immutable Data (MAID)
All CAPEC(s)
CAPEC-1 : Accessing Functionality Not Properly Constrained by ACLs
CAPEC-180 : Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-384 : Application API Message Manipulation via Man-in-the-Middle
CAPEC-385 : Transaction or Event Tampering via Application API Manipulation
CAPEC-386 : Application API Navigation Remapping
CAPEC-387 : Navigation Remapping To Propagate Malicious Content
CAPEC-388 : Application API Button Hijacking
CAPEC-77 : Manipulating User-Controlled Variables
CAPEC(s) with Mapped TTPs
CAPEC-1 : Accessing Functionality Not Properly Constrained by ACLs
Mapped TTPs:
T1574.010
: Services File Permissions Weakness
CAPEC-180 : Exploiting Incorrectly Configured Access Control Security Levels
Mapped TTPs:
T1574.010
: Services File Permissions Weakness
Mapped ATT&CK TTPs
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
Malware
APTs Threat Group Associations
Campaigns
Affected Products
cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:system_manager:9.0:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me