CVE-2020-8203

HIGH

lodash < 4.17.20 - Prototype Pollution via _.zipObjectDeep

Title source: llm

STIX 2.1

Description

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

References (8)

Core 8

Core References

Exploit, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/712065

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20200724-0006/

Issue Tracking, Vendor Advisory x_refsource_misc

https://github.com/lodash/lodash/issues/4874

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 7.4

EPSS 0.0331

EPSS Percentile 87.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-770 CWE-1321

Status published

Products (47)

lodash/lodash < 4.17.20

npm/lodash 3.7.0 - 4.17.19npm

npm/lodash-es 3.7.0 - 4.17.20npm

npm/lodash.pick 4.0.0npm

npm/lodash.set 3.7.0npm

npm/lodash.setwith 0npm

npm/lodash.update 0npm

npm/lodash.updatewith 0npm

oracle/banking_corporate_lending_process_management 14.2.0

oracle/banking_corporate_lending_process_management 14.3.0

... and 37 more

Published Jul 15, 2020

Tracked Since Feb 18, 2026