Outdated Lodash Insecure

This page uses Lodash 4.17.15 and demonstrates a classic prototype pollution pattern using deep merge APIs on untrusted input.

Lodash version:

Risky Pattern — Deep merge on untrusted JSON

do not do this

Why it’s bad: Some historical Lodash builds allowed special keys like __proto__ / constructor.prototype to modify Object.prototype. If polluted, new objects inherit attacker-controlled props.

  1. Paste a payload (try one of the examples below).
  2. Click Merge UNSAFELY with _.merge or _.defaultsDeep.
  3. See whether {}.polluted becomes set.
Waiting…
Try these payloads:
{"__proto__":{"polluted":"yes"}}
{"constructor":{"prototype":{"polluted":"yes"}}}