Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 in cockpit-hq/cockpit


Reported on

Feb 20th 2023


Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203

Proof of Concept

1) Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15
2) Go to https://localhost/Cockpit/
3) Open Web Devloper tools( Ctrl+Shift+I) using Firefox
4) Go to console 
5) Enter _.zipObjectDeep(['__proto__.z'],[123])
6) console.log(z) //123 will appear everywhere based on the poc reference 


This vulnerability is capable of prototype pollution


We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago
Joshua Chan modified the report
a month ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
Joshua Chan
a month ago


Hi @maintainer, this finding is fixed based on the commit https://github.com/Cockpit-HQ/Cockpit/commit/690016208850f2d788ebc3c67884d4c692587eb8 9 hours ago, could this report be valid? Thank you.

Artur validated this vulnerability 23 days ago
Joshua Chan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.4.0 with commit 690016 23 days ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 3rd 2023
Joshua Chan
22 days ago


Hi @admins, I think maintainer has assigned a cve for this? Thanks.

Ben Harvie
22 days ago


The CVE will assign and publish when the vulnerability goes publish (Mar 2nd 2023), thanks!

Artur published this vulnerability 20 days ago
to join this conversation