CVE-2019-10744

Q: What is the severity of CVE-2019-10744?

CVE-2019-10744 has a CVSS score of 9.1 (CRITICAL). CVE-2019-10744 is a prototype pollution vulnerability in lodash versions below 4.17.12. Attackers can manipulate the defaultsDeep function to modify Object.prototype, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable lodash versions, particularly Node.js applications and web applications with lodash dependencies.

9.1 CRITICAL

Remote Code Execution Denial of Service

📋 TL;DR

CVE-2019-10744 is a prototype pollution vulnerability in lodash versions below 4.17.12. Attackers can manipulate the defaultsDeep function to modify Object.prototype, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable lodash versions, particularly Node.js applications and web applications with lodash dependencies.

💻 Affected Systems

Products:

lodash
Node.js applications using lodash
Web applications with lodash dependencies

Versions: All versions below 4.17.12

Operating Systems: All platforms running affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Any application importing and using lodash's defaultsDeep function is vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service, application crashes, or privilege escalation within the application context.

🟢

If Mitigated

Limited impact with proper input validation, sandboxing, and security controls in place.

🌐 Internet-Facing: HIGH - Web applications using lodash are directly exposed to crafted payloads.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists and exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.17.12 and later

Vendor Advisory: https://snyk.io/vuln/SNYK-JS-LODASH-450202

Restart Required: Yes

Instructions:

1. Update lodash to version 4.17.12 or higher using npm update lodash. 2. Restart all affected applications. 3. Verify no dependencies are pulling in older versions.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject malicious payloads before they reach defaultsDeep function.

Object.freeze on Object.prototype

all

Prevent prototype pollution by freezing Object.prototype (may break legitimate functionality).

Object.freeze(Object.prototype)

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block prototype pollution payloads.
Isolate affected applications in containers or VMs with strict network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list lodash to see installed version.

Check Version:

npm list lodash | grep lodash

Verify Fix Applied:

Confirm lodash version is 4.17.12 or higher and test application functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes
Unexpected property modifications in logs
Suspicious input patterns

Network Indicators:

HTTP requests with crafted JSON payloads targeting lodash endpoints

SIEM Query:

source="application.log" AND "defaultsDeep" AND ("crash" OR "error")

📊 Metadata

CVE ID: CVE-2019-10744

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-1321

Published: July 26, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2019:3024 Third Party Advisory
https://security.netapp.com/advisory/ntap-20191004-0005/ Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-450202 Exploit,Third Party Advisory
https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3024 Third Party Advisory
https://security.netapp.com/advisory/ntap-20191004-0005/ Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-450202 Exploit,Third Party Advisory
https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Banking Extensibility Workbench by Oracle

Banking Extensibility Workbench by Oracle

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Iq Centralized Management by F5

Big Iq Centralized Management by F5

Big Iq Centralized Management by F5