NodeJS/lodash/4.16.3
Lodash modular utilities.
https://www.npmjs.com/package/lodash
MIT
11 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in lodash
Published date: 2022-01-06T20:30:46Z
CVE: CVE-2020-28500
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
- https://security.netapp.com/advisory/ntap-20210312-0006
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
- https://github.com/github/advisory-database/pull/6139
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');
function buildblank(n) { var ret = 1
for (var i = 0; i < n; i++) { ret += " } return ret +
1"; } var s = buildblank(50000) var time0 = Date.now(); lo.trim(s) var timecost0 = Date.now() - time0; console.log("timecost0: + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(
timecost1: " + timecost1); var time2 = Date.now(); lo.trimEnd(s); var timecost2 = Date.now() - time2; console.log("timecost2: " + time_cost2); ```
Affected versions: ["4.17.20", "4.17.19", "4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Command Injection in lodash
Published date: 2021-05-06T16:05:51Z
CVE: CVE-2021-23337
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Affected versions: ["4.17.20", "4.17.19", "4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0", "3.6.0", "3.5.0", "3.4.0", "3.3.1", "3.3.0", "3.2.0", "3.1.0", "3.0.1", "3.0.0", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.2", "1.0.1", "1.0.0", "1.0.0-rc.3", "1.0.0-rc.2", "1.0.0-rc.1", "0.10.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.1", "0.6.0", "0.5.2", "0.5.1", "0.5.0", "0.5.0-rc.1", "0.4.2", "0.4.1", "0.4.0", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Prototype Pollution in lodash
Published date: 2019-02-07T18:16:48Z
CVE: CVE-2018-16487
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16487
- https://github.com/advisories/GHSA-4xc9-xhrj-v574
- https://hackerone.com/reports/380873
- https://www.npmjs.com/advisories/782
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.11 or later.
Affected versions: ["4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0", "3.6.0", "3.5.0", "3.4.0", "3.3.1", "3.3.0", "3.2.0", "3.1.0", "3.0.1", "3.0.0", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.2", "1.0.1", "1.0.0", "1.0.0-rc.3", "1.0.0-rc.2", "1.0.0-rc.1", "0.10.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.1", "0.6.0", "0.5.2", "0.5.1", "0.5.0", "0.5.0-rc.1", "0.4.2", "0.4.1", "0.4.0", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Withdrawn: Arbitrary code execution in lodash
Published date: 2021-12-03T20:37:32Z
CVE: CVE-2021-41720
Links:
Withdrawn
GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.
CVE description
"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
Affected versions: ["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "4.17.11", "4.17.12", "4.17.13", "4.17.14", "4.17.15", "4.17.16", "4.17.17", "4.17.18", "4.17.19", "4.17.20", "4.17.21"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Prototype Pollution in lodash
Published date: 2018-07-26T15:14:52Z
CVE: CVE-2018-3721
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3721
- https://github.com/advisories/GHSA-fvqr-27wr-82fm
- https://hackerone.com/reports/310443
- https://www.npmjs.com/advisories/577
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.5 or later.
Affected versions: ["4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0", "3.6.0", "3.5.0", "3.4.0", "3.3.1", "3.3.0", "3.2.0", "3.1.0", "3.0.1", "3.0.0", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.2", "1.0.1", "1.0.0", "1.0.0-rc.3", "1.0.0-rc.2", "1.0.0-rc.1", "0.10.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.1", "0.6.0", "0.5.2", "0.5.1", "0.5.0", "0.5.0-rc.1", "0.4.2", "0.4.1", "0.4.0", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Prototype Pollution in lodash
Published date: 2019-07-10T19:45:23Z
CVE: CVE-2019-10744
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10744
- https://github.com/advisories/GHSA-jf85-cpcp-j695
- https://github.com/lodash/lodash/pull/4336
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://www.npmjs.com/advisories/1065
- https://access.redhat.com/errata/RHSA-2019:3024
- https://security.netapp.com/advisory/ntap-20191004-0005/
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
- https://security.netapp.com/advisory/ntap-20191004-0005
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.12 or later.
Affected versions: ["4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0", "3.6.0", "3.5.0", "3.4.0", "3.3.1", "3.3.0", "3.2.0", "3.1.0", "3.0.1", "3.0.0", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.2", "1.0.1", "1.0.0", "1.0.0-rc.3", "1.0.0-rc.2", "1.0.0-rc.1", "0.10.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.1", "0.6.0", "0.5.2", "0.5.1", "0.5.0", "0.5.0-rc.1", "0.4.2", "0.4.1", "0.4.0", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Prototype Pollution in lodash
Published date: 2020-07-15T19:15:48Z
CVE: CVE-2020-8203
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8203
- https://github.com/advisories/GHSA-p6mc-m468-83gw
- https://github.com/lodash/lodash/issues/4744
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://www.npmjs.com/advisories/1523
- https://hackerone.com/reports/712065
- https://security.netapp.com/advisory/ntap-20200724-0006/
- https://github.com/lodash/lodash/issues/4874
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/github/advisory-database/pull/2884
- https://hackerone.com/reports/864701
- https://github.com/lodash/lodash/wiki/Changelog#v41719
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://security.netapp.com/advisory/ntap-20200724-0006
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Affected versions: ["4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Regular Expression Denial of Service (ReDoS) in lodash
Published date: 2019-07-19T16:13:07Z
CVE: CVE-2019-1010266
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
- https://github.com/lodash/lodash/issues/3359
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
- https://github.com/lodash/lodash/wiki/Changelog
- https://security.netapp.com/advisory/ntap-20190919-0004/
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml
- https://github.com/github/advisory-database/pull/6138
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Affected versions: ["4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Published date: 2026-01-21T23:01:22Z
CVE: CVE-2025-13465
Links:
Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
Patches
This issue is patched on 4.17.23.
Affected versions: ["4.17.21", "4.17.20", "4.17.19", "4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0"]
Secure versions: [4.17.23]
Recommendation: Update to version 4.17.23.
lodash prototype pollution
Published date: 2018-02-12
CVEs: ["CVE-2018-3721"]
CVSS Score: 2.5
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
lodash node module before 4.17.5 suffers from a prototype pollution vulnerability via 'defaultsDeep', 'merge', and 'mergeWith' functions, which allows a malicious user to modify the prototype of 'Object' via proto, causing the addition or modification of an existing property that will exist on all objects.
Affected versions: ["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "NodeJS/lodash/0.1.0", "NodeJS/lodash/0.2.0", "NodeJS/lodash/0.2.1", "NodeJS/lodash/0.3.0", "NodeJS/lodash/0.3.1", "NodeJS/lodash/0.4.0", "NodeJS/lodash/0.4.2", "NodeJS/lodash/0.5.0-rc.1", "NodeJS/lodash/0.5.0", "NodeJS/lodash/0.5.1", "NodeJS/lodash/0.5.2", "NodeJS/lodash/0.2.2", "NodeJS/lodash/0.3.2", "NodeJS/lodash/0.4.1", "NodeJS/lodash/0.6.0", "NodeJS/lodash/0.7.0", "NodeJS/lodash/0.8.1", "NodeJS/lodash/0.8.2", "NodeJS/lodash/0.9.0", "NodeJS/lodash/0.9.1", "NodeJS/lodash/0.9.2", "NodeJS/lodash/0.10.0", "NodeJS/lodash/1.0.0-rc.1", "NodeJS/lodash/1.0.0", "NodeJS/lodash/1.1.0", "NodeJS/lodash/1.1.1", "NodeJS/lodash/1.3.0", "NodeJS/lodash/1.3.1", "NodeJS/lodash/2.0.0", "NodeJS/lodash/2.1.0", "NodeJS/lodash/2.2.1", "NodeJS/lodash/2.4.0", "NodeJS/lodash/3.0.1", "NodeJS/lodash/3.1.0", "NodeJS/lodash/3.3.1", "NodeJS/lodash/3.4.0", "NodeJS/lodash/3.6.0", "NodeJS/lodash/3.8.0", "NodeJS/lodash/3.9.2", "NodeJS/lodash/3.9.3", "NodeJS/lodash/3.10.0", "NodeJS/lodash/4.0.0", "NodeJS/lodash/4.1.0", "NodeJS/lodash/4.2.0", "NodeJS/lodash/4.2.1", "NodeJS/lodash/4.4.0", "NodeJS/lodash/4.5.0", "NodeJS/lodash/4.5.1", "NodeJS/lodash/4.6.0", "NodeJS/lodash/4.7.0", "NodeJS/lodash/4.10.0", "NodeJS/lodash/4.11.1", "NodeJS/lodash/4.13.1", "NodeJS/lodash/4.14.1", "NodeJS/lodash/4.14.2", "NodeJS/lodash/4.16.5", "NodeJS/lodash/4.16.6", "NodeJS/lodash/4.17.2", "NodeJS/lodash/4.17.3", "NodeJS/lodash/4.17.4", "NodeJS/lodash/0.6.1", "NodeJS/lodash/0.8.0", "NodeJS/lodash/1.0.0-rc.2", "NodeJS/lodash/1.0.0-rc.3", "NodeJS/lodash/1.0.1", "NodeJS/lodash/1.2.0", "NodeJS/lodash/1.2.1", "NodeJS/lodash/2.2.0", "NodeJS/lodash/2.3.0", "NodeJS/lodash/2.4.1", "NodeJS/lodash/3.0.0", "NodeJS/lodash/3.2.0", "NodeJS/lodash/3.3.0", "NodeJS/lodash/3.5.0", "NodeJS/lodash/1.0.2", "NodeJS/lodash/3.7.0", "NodeJS/lodash/2.4.2", "NodeJS/lodash/3.9.0", "NodeJS/lodash/3.9.1", "NodeJS/lodash/3.10.1", "NodeJS/lodash/4.0.1", "NodeJS/lodash/4.3.0", "NodeJS/lodash/4.6.1", "NodeJS/lodash/4.8.0", "NodeJS/lodash/4.8.1", "NodeJS/lodash/4.8.2", "NodeJS/lodash/4.9.0", "NodeJS/lodash/4.11.0", "NodeJS/lodash/4.11.2", "NodeJS/lodash/4.12.0", "NodeJS/lodash/4.13.0", "NodeJS/lodash/4.14.0", "NodeJS/lodash/4.15.0", "NodeJS/lodash/4.16.0", "NodeJS/lodash/4.16.1", "NodeJS/lodash/4.16.2", "NodeJS/lodash/4.16.3", "NodeJS/lodash/4.16.4", "NodeJS/lodash/4.17.0", "NodeJS/lodash/4.17.1"]
Secure versions: [4.17.23]
Recommendation: Update module to 4.17.5 or higher
Denial of Service
Published date: 2018-10-30
CVEs: ["CVE-2018-16487"]
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Prototype pollution attack (lodash / constructor.prototype)
Affected versions: ["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "NodeJS/lodash/0.1.0", "NodeJS/lodash/0.2.0", "NodeJS/lodash/0.2.1", "NodeJS/lodash/0.3.0", "NodeJS/lodash/0.3.1", "NodeJS/lodash/0.4.0", "NodeJS/lodash/0.4.2", "NodeJS/lodash/0.5.0-rc.1", "NodeJS/lodash/0.5.0", "NodeJS/lodash/0.5.1", "NodeJS/lodash/0.5.2", "NodeJS/lodash/0.2.2", "NodeJS/lodash/0.3.2", "NodeJS/lodash/0.4.1", "NodeJS/lodash/0.6.0", "NodeJS/lodash/0.7.0", "NodeJS/lodash/0.8.1", "NodeJS/lodash/0.8.2", "NodeJS/lodash/0.9.0", "NodeJS/lodash/0.9.1", "NodeJS/lodash/0.9.2", "NodeJS/lodash/0.10.0", "NodeJS/lodash/1.0.0-rc.1", "NodeJS/lodash/1.0.0", "NodeJS/lodash/1.1.0", "NodeJS/lodash/1.1.1", "NodeJS/lodash/1.3.0", "NodeJS/lodash/1.3.1", "NodeJS/lodash/2.0.0", "NodeJS/lodash/2.1.0", "NodeJS/lodash/2.2.1", "NodeJS/lodash/2.4.0", "NodeJS/lodash/3.0.1", "NodeJS/lodash/3.1.0", "NodeJS/lodash/3.3.1", "NodeJS/lodash/3.4.0", "NodeJS/lodash/3.6.0", "NodeJS/lodash/3.8.0", "NodeJS/lodash/3.9.2", "NodeJS/lodash/3.9.3", "NodeJS/lodash/3.10.0", "NodeJS/lodash/4.0.0", "NodeJS/lodash/4.1.0", "NodeJS/lodash/4.2.0", "NodeJS/lodash/4.2.1", "NodeJS/lodash/4.4.0", "NodeJS/lodash/4.5.0", "NodeJS/lodash/4.5.1", "NodeJS/lodash/4.6.0", "NodeJS/lodash/4.7.0", "NodeJS/lodash/4.10.0", "NodeJS/lodash/4.11.1", "NodeJS/lodash/4.13.1", "NodeJS/lodash/4.14.1", "NodeJS/lodash/4.14.2", "NodeJS/lodash/4.16.5", "NodeJS/lodash/4.16.6", "NodeJS/lodash/4.17.2", "NodeJS/lodash/4.17.3", "NodeJS/lodash/4.17.4", "NodeJS/lodash/4.17.5", "NodeJS/lodash/0.6.1", "NodeJS/lodash/0.8.0", "NodeJS/lodash/1.0.0-rc.2", "NodeJS/lodash/1.0.0-rc.3", "NodeJS/lodash/1.0.1", "NodeJS/lodash/1.2.0", "NodeJS/lodash/1.2.1", "NodeJS/lodash/2.2.0", "NodeJS/lodash/2.3.0", "NodeJS/lodash/2.4.1", "NodeJS/lodash/3.0.0", "NodeJS/lodash/3.2.0", "NodeJS/lodash/3.3.0", "NodeJS/lodash/3.5.0", "NodeJS/lodash/1.0.2", "NodeJS/lodash/3.7.0", "NodeJS/lodash/2.4.2", "NodeJS/lodash/3.9.0", "NodeJS/lodash/3.9.1", "NodeJS/lodash/3.10.1", "NodeJS/lodash/4.0.1", "NodeJS/lodash/4.3.0", "NodeJS/lodash/4.6.1", "NodeJS/lodash/4.8.0", "NodeJS/lodash/4.8.1", "NodeJS/lodash/4.8.2", "NodeJS/lodash/4.9.0", "NodeJS/lodash/4.11.0", "NodeJS/lodash/4.11.2", "NodeJS/lodash/4.12.0", "NodeJS/lodash/4.13.0", "NodeJS/lodash/4.14.0", "NodeJS/lodash/4.15.0", "NodeJS/lodash/4.16.0", "NodeJS/lodash/4.16.1", "NodeJS/lodash/4.16.2", "NodeJS/lodash/4.16.3", "NodeJS/lodash/4.16.4", "NodeJS/lodash/4.17.0", "NodeJS/lodash/4.17.1", "NodeJS/lodash/4.17.9", "NodeJS/lodash/4.17.10"]
Secure versions: [4.17.23]
Recommendation: Update lodash module to version >=4.17.11
115 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.17.23 | MIT | 2026-01-21 - 17:29 | about 2 months | |
| 4.17.21 | MIT | 2 | 2021-02-20 - 15:42 | about 5 years |
| 4.17.20 | MIT | 4 | 2020-08-13 - 16:53 | over 5 years |
| 4.17.19 | MIT | 4 | 2020-07-08 - 17:14 | over 5 years |
| 4.17.18 | MIT | 6 | 2020-07-08 - 16:07 | over 5 years |
| 4.17.17 | MIT | 6 | 2020-07-08 - 12:08 | over 5 years |
| 4.17.16 | MIT | 6 | 2020-07-08 - 10:50 | over 5 years |
| 4.17.15 | MIT | 6 | 2019-07-19 - 02:28 | over 6 years |
| 4.17.14 | MIT | 5 | 2019-07-10 - 15:44 | over 6 years |
| 4.17.13 | MIT | 5 | 2019-07-09 - 22:24 | over 6 years |
| 4.17.12 | MIT | 5 | 2019-07-09 - 21:07 | over 6 years |
| 4.17.11 | MIT | 6 | 2018-09-12 - 18:32 | over 7 years |
| 4.17.10 | MIT | 9 | 2018-04-24 - 18:07 | almost 8 years |
| 4.17.9 | MIT | 9 | 2018-04-24 - 17:44 | almost 8 years |
| 4.17.5 | MIT | 9 | 2018-02-04 - 00:34 | about 8 years |
| 4.17.4 | MIT | 11 | 2016-12-31 - 22:33 | about 9 years |
| 4.17.3 | MIT | 11 | 2016-12-24 - 14:25 | about 9 years |
| 4.17.2 | MIT | 11 | 2016-11-16 - 07:21 | over 9 years |
| 4.17.1 | MIT | 11 | 2016-11-15 - 07:03 | over 9 years |
| 4.17.0 | MIT | 11 | 2016-11-14 - 07:00 | over 9 years |
| 4.16.6 | MIT | 11 | 2016-11-01 - 06:38 | over 9 years |
| 4.16.5 | MIT | 11 | 2016-10-31 - 06:49 | over 9 years |
| 4.16.4 | MIT | 11 | 2016-10-06 - 15:13 | over 9 years |
| 4.16.3 | MIT | 11 | 2016-10-03 - 16:43 | over 9 years |
| 4.16.2 | MIT | 11 | 2016-09-26 - 03:11 | over 9 years |
| 4.16.1 | MIT | 11 | 2016-09-20 - 16:59 | over 9 years |
| 4.16.0 | MIT | 11 | 2016-09-19 - 14:59 | over 9 years |
| 4.15.0 | MIT | 11 | 2016-08-12 - 14:39 | over 9 years |
| 4.14.2 | MIT | 11 | 2016-08-08 - 15:35 | over 9 years |
| 4.14.1 | MIT | 11 | 2016-07-29 - 14:49 | over 9 years |
| 4.14.0 | MIT | 11 | 2016-07-24 - 18:40 | over 9 years |
| 4.13.1 | MIT | 11 | 2016-05-23 - 15:59 | almost 10 years |
| 4.13.0 | MIT | 11 | 2016-05-23 - 05:07 | almost 10 years |
| 4.12.0 | MIT | 11 | 2016-05-08 - 19:25 | almost 10 years |
| 4.11.2 | MIT | 11 | 2016-05-02 - 15:01 | almost 10 years |
| 4.11.1 | MIT | 11 | 2016-04-14 - 07:21 | almost 10 years |
| 4.11.0 | MIT | 11 | 2016-04-13 - 15:32 | almost 10 years |
| 4.10.0 | MIT | 11 | 2016-04-11 - 14:43 | almost 10 years |
| 4.9.0 | MIT | 11 | 2016-04-08 - 15:22 | almost 10 years |
| 4.8.2 | MIT | 11 | 2016-04-05 - 02:15 | almost 10 years |
| 4.8.1 | MIT | 11 | 2016-04-04 - 15:43 | almost 10 years |
| 4.8.0 | MIT | 11 | 2016-04-04 - 14:54 | almost 10 years |
| 4.7.0 | MIT | 11 | 2016-03-31 - 15:46 | almost 10 years |
| 4.6.1 | MIT | 10 | 2016-03-02 - 18:09 | about 10 years |
| 4.6.0 | MIT | 10 | 2016-03-02 - 03:24 | about 10 years |
| 4.5.1 | MIT | 10 | 2016-02-22 - 06:42 | about 10 years |
| 4.5.0 | MIT | 10 | 2016-02-17 - 08:39 | about 10 years |
| 4.4.0 | MIT | 10 | 2016-02-16 - 07:10 | about 10 years |
| 4.3.0 | MIT | 10 | 2016-02-08 - 08:57 | about 10 years |
| 4.2.1 | MIT | 10 | 2016-02-03 - 16:00 | about 10 years |