Sonatype examines lodash’s open source vulnerabilities
“Users of lodash are able to reap the benefits of more elegant code in less time by utilising the robust lodash library. However, what was created as a helpful feature for most, lends itself to an attack vector for bad actors if it isn’t managed properly.”
Attack mechanics and remediation procedure
According to Sonatype’s research, vulnerability CVE-2018-16487 stems from an apparently incomplete repair carried out on version 4.17.5 of lodash (CVE-2018-3721).
Cyber attackers can exploit this function by inserting large quantities of incompatible objects in a short time frame, which can cause a DoS (denial of service) or RCE (remote code execution) response.
To resolve the issue, Sonatype recommends users upgrade to version 4.17.11 of lodash, which contains a dedicated fix for the issue.
“If upgrading is not a viable option, some developers have chosen to protect against this vulnerability by replacing a property entirely (rather than recursively extending it) if the destination object doesn't have that property as its own,” it advises.
Furthermore, the company advises that fixing one of lodash’s properties wouldn’t necessarily guarantee that all others were equally protected. As such, users are advised to tread with caution to ensure the vulnerability is holistically resolved.