[Security] Critical Lodash Vulnerabilities via gitbook-plugin-sharingΒ #335
Description
π Bug Summary
Critical vulnerabilities were identified in lodash (β€ 4.17.20), a transitive dependency introduced through gitbook-plugin-sharing.
These include multiple Prototype Pollution and Command Injection issues with no current fix available.
π Details
Vulnerable Package: lodash
Affected Versions: β€ 4.17.20
Dependency Path:
gitbook-plugin-sharing@1.0.1 β lodash@β€4.17.20
Severity: Critical
Relevant Advisories:
- GHSA-fvqr-27wr-82fm β Prototype Pollution
- GHSA-35jh-r3h4-6jhm β Command Injection
- GHSA-4xc9-xhrj-v574 β Prototype Pollution
- GHSA-jf85-cpcp-j695 β Prototype Pollution
- GHSA-p6mc-m468-83gw β Prototype Pollution
Fix Availability:
π« No official fix currently available for gitbook-plugin-sharing.
β οΈ Impact
- Risk of arbitrary code execution or data tampering through prototype pollution.
- May compromise application security if lodash methods are invoked with untrusted input.
π§ͺ Steps to Reproduce
- Run
npm auditin the project root. - Observe the critical vulnerabilities reported for lodash (transitive via
gitbook-plugin-sharing).
π‘ Proposed Actions
- Explore removing or replacing
gitbook-plugin-sharingwith a maintained alternative. - If replacement is not feasible:
- Fork the plugin and upgrade lodash to
β₯4.17.21. - Use
npm overridesor Yarnresolutionsto force a safe lodash version.
- Fork the plugin and upgrade lodash to
- Re-run
npm auditafter mitigation to confirm vulnerability resolution.
π§ Environment
| Key | Value |
|---|---|
| Node.js version | e.g., 20.10.0 |
| npm version | e.g., 10.5.0 |
| OS | e.g., macOS 15.6.1 / Ubuntu 22.04 |
β Additional Notes
Please assign this issue for tracking and remediation.
This will help maintain project security and ensure compatibility with modern dependency versions.