Share
## https://sploitus.com/exploit?id=0EFC61DB-6712-5A20-BC15-1A1F40196053
# ๐ด CVE-2019-10744 | CVE-2018-16487 | CVE-2018-3721 | CVE-2021-23337
## Lodash Prototype Pollution to Full Information Disclosure - POC
[](https://github.com)
[](https://nvd.nist.gov/vuln/detail/CVE-2019-10744)
[](https://nvd.nist.gov/vuln/detail/CVE-2018-16487)
[](https://nvd.nist.gov/vuln/detail/CVE-2018-3721)
[](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)
[](https://lodash.com/)
---
## ๐ Table of Contents
- [Overview](#overview)
- [CVEs Covered](#cves-covered)
- [Impact Assessment](#impact-assessment)
- [Requirements](#requirements)
- [Quick Start](#quick-start)
- [POC Execution](#poc-execution)
- [Expected Output](#expected-output)
- [Exploitation Details](#exploitation-details)
- [Detection Methods](#detection-methods)
- [Remediation](#remediation)
- [References](#references)
- [Disclaimer](#disclaimer)
---
## ๐ Overview
This repository contains a **Proof of Concept (POC)** for multiple critical vulnerabilities in **Lodash versions โค 4.17.21**, demonstrating how prototype pollution can lead to:
- ๐ **Authentication Bypass**
- ๐ **Unauthenticated API Access**
- ๐ **Secret/Token Extraction**
- ๐ก **SSRF (Server-Side Request Forgery)**
- ๐พ **Sensitive Information Disclosure**
The POC is fully automated and works directly in the browser console, requiring no additional tools.
---
## ๐ฏ CVEs Covered
| CVE ID | Severity | Description | Affected Versions |
|--------|----------|-------------|-------------------|
| **CVE-2019-10744** | ๐ด HIGH | Prototype Pollution in `defaultsDeep` function | โค 4.17.11 |
| **CVE-2018-16487** | ๐ด HIGH | Prototype Pollution in `merge` function | โค 4.17.4 |
| **CVE-2018-3721** | ๐ก MEDIUM | Prototype Pollution in `mergeWith` function | โค 4.17.5 |
| **CVE-2021-23337** | ๐ด HIGH | Command Injection via `template` function | โค 4.17.20 |
---
## โ ๏ธ Impact Assessment
### Potential Attack Vectors
| Attack Vector | Impact | Difficulty |
|---------------|--------|------------|
| **Prototype Pollution** | Client-side privilege escalation | EASY |
| **Authentication Bypass** | Unauthorized access to admin features | MEDIUM |
| **SSRF via Proxy Endpoints** | Internal network scanning, cloud metadata theft | MEDIUM |
| **Secret Extraction** | API keys, JWT tokens, passwords exposed | EASY |
| **Information Disclosure** | Sensitive data leakage from unprotected APIs | EASY |
### CVSS Score Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score: 9.1 (CRITICAL)
Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
User Interaction: NONE
Confidentiality Impact: HIGH
Integrity Impact: HIGH
---
## ๐ป Requirements
- **Target:** Any web application using Lodash โค 4.17.21
- **Browser:** Chrome, Firefox, Edge, or any modern browser
- **Access:** Browser console (F12)
- **Network:** Internet connection to fetch JavaScript bundles
### Tested On
- โ
Angular 2+ applications
- โ
React applications with Lodash
- โ
Vue.js applications
- โ
Leaflet.js mapping applications
- โ
Azure Front Door hosted apps
---
## ๐ Quick Start
### Step 1: Open Target Website
Navigate to the target web application in your browser.
### Step 2: Open Developer Console
- **Chrome/Edge:** `F12` or `Ctrl+Shift+J` (Windows) / `Cmd+Option+J` (Mac)
- **Firefox:** `F12` or `Ctrl+Shift+K` (Windows) / `Cmd+Option+K` (Mac)
### Step 3: Run the POC
Copy and paste the entire script from `poc.js` into the console and press `Enter`.
### Step 4: Analyze Results
Review the console output and the visual indicator that appears on the page.