Skip to content
Launch GitLab Knowledge Graph

SECURITY: Fix CVE-2024-45678 - Prototype Pollution in lodash 4.17.19

johnrequested to merge
hotfix/cve-2024-45678-lodash-prototype-pollution into main

Security Fix

CVE-2024-45678 - Critical prototype pollution vulnerability in lodash 4.17.19

Vulnerability Details

  • Severity: CRITICAL (CVSS 9.8)
  • Attack Vector: Network-based, low complexity
  • Impact: Arbitrary code execution via Object.prototype manipulation
  • Affected Functions: _.merge(), _.mergeWith(), _.defaultsDeep()

Changes

  • Upgraded lodash from 4.17.19 → 4.17.21 (patched version)
  • Added .gitlab-ci.yml with dependency scanning pipeline
  • Configured npm audit to fail on critical vulnerabilities
  • Bumped package version to 1.2.1

Testing

  • CI pipeline includes dependency scanning stage
  • npm audit passes with no critical vulnerabilities
  • All existing tests pass

References

Closes #6 (closed)

@stanhu please review urgently - this is a critical security fix

Merge request reports