The occasion for the renewal of what's been a longstanding concern was the publication on Wednesday of an npm security advisory, which should now be showing up as a command line warning among those using npm's "audit" command, or those using npm to install a package that has lodash as a dependency.
The flaw at issue is a prototype pollution attack, by which an attacker can inject properties into the prototype of
Adding or modifying object properties in this way means child objects inherit these properties, which could lead to denial of service or arbitrary code execution under certain circumstances.
Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study showsREAD MORE
The bug, considered low severity, resides in lodash's
zipObjectDeep function and can be exploited by passing the function a set of arrays that includes a specific key value. It was disclosed to bug bounty service Hacker One in October last year and John-David Dalton, the creator and primary maintainer of lodash, appears to have been notified in early December, 2019.
A similar lodash bug affecting the functions
defaultsDeep was disclosed in October 2018 and was the most commonly found vulnerability in commercial open source applications, according to a report from design automation biz Synopsys in May.
There have been two pull requests – lines of corrected code – to fix the security flaw, both of which have been waiting around for about two months to be merged into the lodash project code so an update can be released.
That person is Dalton, who currently works as a UI security engineer at Salesforce and is involved in various other web tech projects. The Register attempted to reach Dalton for comment but we've not heard back.
Dalton is clearly aware there's a bottleneck in the lodash release process – the last time the library was revised was version 4.17.15, which arrived on Jul 17, 2019. In June, via Twitter, he put out a call for volunteers to help him maintain lodash and other projects he has, promising maintainer status for those who respond.
As this story was being written on Thursday afternoon, he merged one of the pull requests to fix the issue, so an update can be expected soon.
You were expecting something more for free software from unpaid volunteers? ®