NodeJS/lodash/0.4.0
Lodash modular utilities.
https://www.npmjs.com/package/lodash
MIT
9 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber
, trim
and trimEnd
functions.
Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');
function buildblank(n) {
var ret = 1
for (var i = 0; i < n; i++) {
ret += "
}
return ret +
1";
}
var s = buildblank(50000) var time0 = Date.now();
lo.trim(s)
var timecost0 = Date.now() - time0;
console.log("timecost0: + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log(
timecost1: " + timecost1);
var time2 = Date.now();
lo.trimEnd(s);
var timecost2 = Date.now() - time2;
console.log("timecost2: " + time_cost2);
```
Command Injection in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
lodash
versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Prototype Pollution in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2018-16487
- https://github.com/advisories/GHSA-4xc9-xhrj-v574
- https://hackerone.com/reports/380873
- https://www.npmjs.com/advisories/782
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
Versions of lodash
before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.11 or later.
Withdrawn: Arbitrary code execution in lodash
Withdrawn
GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.
CVE description
"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
Prototype Pollution in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2018-3721
- https://github.com/advisories/GHSA-fvqr-27wr-82fm
- https://hackerone.com/reports/310443
- https://www.npmjs.com/advisories/577
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://security.netapp.com/advisory/ntap-20190919-0004
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via __proto__
causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.5 or later.
Prototype Pollution in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2019-10744
- https://github.com/advisories/GHSA-jf85-cpcp-j695
- https://github.com/lodash/lodash/pull/4336
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://www.npmjs.com/advisories/1065
- https://access.redhat.com/errata/RHSA-2019:3024
- https://security.netapp.com/advisory/ntap-20191004-0005/
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
Versions of lodash
before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep
allows a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.12 or later.
Regular Expression Denial of Service (ReDoS) in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
- https://github.com/lodash/lodash/issues/3359
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
- https://github.com/lodash/lodash/wiki/Changelog
- https://security.netapp.com/advisory/ntap-20190919-0004/
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
lodash prototype pollution
lodash node module before 4.17.5 suffers from a prototype pollution vulnerability via 'defaultsDeep', 'merge', and 'mergeWith' functions, which allows a malicious user to modify the prototype of 'Object' via proto, causing the addition or modification of an existing property that will exist on all objects.
Denial of Service
Prototype pollution attack (lodash / constructor.prototype)
114 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.5.2 | MIT | 9 | 2012-08-22 - 16:22 | about 12 years |
0.5.1 | MIT | 9 | 2012-08-18 - 20:15 | about 12 years |
0.5.0 | MIT | 9 | 2012-08-17 - 20:13 | about 12 years |
0.5.0-rc.1 | MIT | 9 | 2012-08-07 - 15:08 | about 12 years |
0.4.2 | MIT | 9 | 2012-07-16 - 18:49 | over 12 years |
0.4.1 | MIT | 9 | 2012-07-12 - 04:56 | over 12 years |
0.4.0 | MIT | 9 | 2012-07-11 - 17:14 | over 12 years |
0.3.2 | MIT | 9 | 2012-06-14 - 19:19 | over 12 years |
0.3.1 | MIT | 9 | 2012-06-11 - 04:12 | over 12 years |
0.3.0 | MIT | 9 | 2012-06-06 - 20:01 | over 12 years |
0.2.2 | MIT | 9 | 2012-05-30 - 07:56 | over 12 years |
0.2.1 | MIT | 9 | 2012-05-24 - 21:53 | over 12 years |
0.2.0 | MIT | 9 | 2012-05-22 - 04:06 | over 12 years |
0.1.0 | MIT | 9 | 2012-04-23 - 16:37 | over 12 years |