CVE-2020-8203 — Lodash Prototype Pollution HIGH
🔴 CISA KEV
npm
CVSS 7.4 · lodash < 4.17.21 → 4.17.21
Lodash's zipObjectDeep, merge, and mergeWith functions allow an attacker to modify Object.prototype by passing a crafted payload. Any application that passes user-controlled data to these functions is vulnerable. Widely exploited — lodash appears on CISA KEV.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| lodash | npm | < 4.17.21 | 4.17.21 | Full fix guide → |
How to fix CVE-2020-8203
- Update lodash to 4.17.21 in package.json
- Run npm install
- Verify with: node -e "const _ = require('lodash'); console.log(_.version)"
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2020-8203 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What functions in lodash are affected by CVE-2020-8203?
zipObjectDeep, merge, mergeWith, and defaultsDeep are the primary affected functions. Any code that passes user-controlled object keys to these functions is vulnerable.
Is lodash being replaced by native JavaScript?
Yes — many lodash functions have native equivalents in modern JavaScript. However, migration takes time. Updating to 4.17.21 is the immediate fix.
Why is lodash on the CISA KEV list?
CISA added lodash because CVE-2020-8203 was confirmed being exploited in attacks against production applications. The wide deployment of lodash makes it a high-value target.