Will It Vibe logoWill It Vibe?
SCA-006High severity-15 points

lodash prototype pollution (npm, <4.17.21)

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Flags a manifest pin of lodash below 4.17.21, before the prototype-pollution/command-injection fixes (CVE-2020-8203, CVE-2021-23337) landed.

Why it matters

Versions of lodash before 4.17.21 have documented prototype-pollution and command-injection issues in functions like zipObjectDeep and template (CVE-2020-8203, CVE-2021-23337). An attacker who can influence input to one of these functions can pollute Object.prototype for the whole process or, in the template case, potentially execute code -- a real, exploited class of bug in a package that ships in nearly every JavaScript project. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.

How to fix it

Bump lodash to 4.17.21 or later. This is almost always a drop-in upgrade with no API changes; if lodash is only a transitive dependency, update the parent package or add an override/resolutions entry forcing 4.17.21+.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks