A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Created lodash tracking bugs for this issue:
Affects: fedora-all [bug 1671879]
Created nodejs-lodash tracking bugs for this issue:
Affects: epel-all [bug 1671880]
rh-nodejs8-nodejs does not install modules that export the vulnerable functions, however they may be used internally.
This vulnerability is out of security support scope for the following product:
* Red Hat Mobile Application Platform
Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details