Skip to content
Launch GitLab Knowledge Graph

CRITICAL: CVE-2024-45678 - Prototype Pollution in lodash 4.17.19

🚨 CRITICAL SECURITY VULNERABILITY

CVE Details

  • CVE ID: CVE-2024-45678
  • Severity: CRITICAL (CVSS 9.8)
  • Package: lodash@4.17.19
  • Vulnerable Method: defaultsDeep()
  • Attack Vector: Network, No authentication required
  • Impact: Remote Code Execution (RCE)

Vulnerability Description

Prototype pollution vulnerability in lodash allows attackers to modify Object.prototype through the defaultsDeep() function. This can lead to:

  • Remote code execution
  • Denial of service
  • Application crash
  • Privilege escalation

Affected Components

  • All React components using lodash utilities
  • State management helpers
  • Form validation logic
  • Deep merge operations in 15+ files

Exploitation Scenario

const lodash = require('lodash');
const malicious = JSON.parse('{"\_\_proto\_\_": {"isAdmin": true}}');
lodash.defaultsDeep({}, malicious);
// Now ALL objects have isAdmin: true

Detection

Found by:

  • Dependabot security scan (2025-10-09)
  • npm audit (23 vulnerabilities, 1 critical)
  • Snyk security scan

Remediation

IMMEDIATE ACTION REQUIRED:

  1. Upgrade lodash to 4.17.21 or higher
  2. Run npm audit fix --force
  3. Review all usages of defaultsDeep(), merge(), set()
  4. Add input validation for user-controlled objects
  5. Deploy hotfix to production within 24 hours

Affected Projects

This vulnerability impacts ALL frontend projects:

  • ui-component-library (CRITICAL - used in 15 files)
  • web-app-react (HIGH - used in 8 files)
  • ai-chat-interface (HIGH - used in WebSocket message handling)
  • ml-dashboard (MEDIUM - used in data transformation)

Timeline

  • 2025-10-09 08:00 UTC: Vulnerability discovered in CI pipeline
  • 2025-10-09 09:30 UTC: Security team notified
  • 2025-10-09 10:00 UTC: Hotfix branch created
  • 2025-10-09 14:00 UTC: Target deployment time

References

Related Issues

  • acme-corp/frontend-team/core-frontend-team/web-app-react#TBD
  • acme-corp/frontend-team/ai-frontend-team/ai-chat-interface#TBD
  • acme-corp/frontend-team/ai-frontend-team/ml-dashboard#TBD

DO NOT MERGE any MRs until this is resolved

cc: @stanhu @bob @michael_usanchenko @dmitry - URGENT ACTION REQUIRED

Edited by ben