NodeJS/lodash/4.17.16

Lodash modular utilities.

Repo Link: https://www.npmjs.com/package/lodash
License: MIT

5 Security Vulnerabilities

Regular Expression Denial of Service (ReDoS) in lodash

Published date: 2022-01-06T20:30:46Z

CVE: CVE-2020-28500

Links:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');

function buildblank(n) { var ret = 1 for (var i = 0; i < n; i++) { ret += " } return ret +1"; } var s = buildblank(50000) var time0 = Date.now(); lo.trim(s) var timecost0 = Date.now() - time0; console.log("timecost0: + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(timecost1: " + timecost1); var time2 = Date.now(); lo.trimEnd(s); var timecost2 = Date.now() - time2; console.log("timecost2: " + time_cost2); ```

Secure versions: []

Command Injection in lodash

Published date: 2021-05-06T16:05:51Z

CVE: CVE-2021-23337

Links:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Affected versions: ["4.17.20", "4.17.19", "4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0", "3.6.0", "3.5.0", "3.4.0", "3.3.1", "3.3.0", "3.2.0", "3.1.0", "3.0.1", "3.0.0", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.2", "1.0.1", "1.0.0", "1.0.0-rc.3", "1.0.0-rc.2", "1.0.0-rc.1", "0.10.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.1", "0.6.0", "0.5.2", "0.5.1", "0.5.0", "0.5.0-rc.1", "0.4.2", "0.4.1", "0.4.0", "0.3.2", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "0.1.0"]

Secure versions: []

Withdrawn: Arbitrary code execution in lodash

Published date: 2021-12-03T20:37:32Z

CVE: CVE-2021-41720

Links:

Withdrawn

GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.

CVE description

"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.

Affected versions: ["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "4.17.11", "4.17.12", "4.17.13", "4.17.14", "4.17.15", "4.17.16", "4.17.17", "4.17.18", "4.17.19", "4.17.20", "4.17.21"]

Secure versions: []

Prototype Pollution in lodash

Published date: 2020-07-15T19:15:48Z

CVE: CVE-2020-8203

Links:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Affected versions: ["4.17.18", "4.17.17", "4.17.16", "4.17.15", "4.17.14", "4.17.13", "4.17.12", "4.17.11", "4.17.10", "4.17.9", "4.17.5", "4.17.4", "4.17.3", "4.17.2", "4.17.1", "4.17.0", "4.16.6", "4.16.5", "4.16.4", "4.16.3", "4.16.2", "4.16.1", "4.16.0", "4.15.0", "4.14.2", "4.14.1", "4.14.0", "4.13.1", "4.13.0", "4.12.0", "4.11.2", "4.11.1", "4.11.0", "4.10.0", "4.9.0", "4.8.2", "4.8.1", "4.8.0", "4.7.0", "4.6.1", "4.6.0", "4.5.1", "4.5.0", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.0", "4.0.1", "4.0.0", "3.10.1", "3.10.0", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.0", "3.7.0"]

Secure versions: []

Allocation of Resources Without Limits or Throttling

Published date: 1970-01-01

CVSS Score: 7.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Links:

Prototype pollution attack (lodash)

Affected versions: ["4.17.15", "4.17.16", "4.17.17", "4.17.18", "NodeJS/lodash/4.17.17", "NodeJS/lodash/4.17.15", "NodeJS/lodash/4.17.16", "NodeJS/lodash/4.17.18"]

Secure versions: []

Recommendation: Update to version 4.17.19 or greater

114 Other Versions

Version	License	Security	Released
4.17.21	MIT	1	2021-02-20 - 15:42	almost 5 years
4.17.20	MIT	3	2020-08-13 - 16:53	over 5 years
4.17.19	MIT	3	2020-07-08 - 17:14	over 5 years
4.17.18	MIT	5	2020-07-08 - 16:07	over 5 years
4.17.17	MIT	5	2020-07-08 - 12:08	over 5 years
4.17.16	MIT	5	2020-07-08 - 10:50	over 5 years
4.17.15	MIT	5	2019-07-19 - 02:28	over 6 years
4.17.14	MIT	4	2019-07-10 - 15:44	over 6 years
4.17.13	MIT	4	2019-07-09 - 22:24	over 6 years
4.17.12	MIT	4	2019-07-09 - 21:07	over 6 years
4.17.11	MIT	5	2018-09-12 - 18:32	over 7 years
4.17.10	MIT	8	2018-04-24 - 18:07	over 7 years
4.17.9	MIT	8	2018-04-24 - 17:44	over 7 years
4.17.5	MIT	8	2018-02-04 - 00:34	almost 8 years
4.17.4	MIT	10	2016-12-31 - 22:33	almost 9 years
4.17.3	MIT	10	2016-12-24 - 14:25	almost 9 years
4.17.2	MIT	10	2016-11-16 - 07:21	about 9 years
4.17.1	MIT	10	2016-11-15 - 07:03	about 9 years
4.17.0	MIT	10	2016-11-14 - 07:00	about 9 years
4.16.6	MIT	10	2016-11-01 - 06:38	about 9 years
4.16.5	MIT	10	2016-10-31 - 06:49	about 9 years
4.16.4	MIT	10	2016-10-06 - 15:13	about 9 years
4.16.3	MIT	10	2016-10-03 - 16:43	about 9 years
4.16.2	MIT	10	2016-09-26 - 03:11	about 9 years
4.16.1	MIT	10	2016-09-20 - 16:59	over 9 years
4.16.0	MIT	10	2016-09-19 - 14:59	over 9 years
4.15.0	MIT	10	2016-08-12 - 14:39	over 9 years
4.14.2	MIT	10	2016-08-08 - 15:35	over 9 years
4.14.1	MIT	10	2016-07-29 - 14:49	over 9 years
4.14.0	MIT	10	2016-07-24 - 18:40	over 9 years
4.13.1	MIT	10	2016-05-23 - 15:59	over 9 years
4.13.0	MIT	10	2016-05-23 - 05:07	over 9 years
4.12.0	MIT	10	2016-05-08 - 19:25	over 9 years
4.11.2	MIT	10	2016-05-02 - 15:01	over 9 years
4.11.1	MIT	10	2016-04-14 - 07:21	over 9 years
4.11.0	MIT	10	2016-04-13 - 15:32	over 9 years
4.10.0	MIT	10	2016-04-11 - 14:43	over 9 years
4.9.0	MIT	10	2016-04-08 - 15:22	over 9 years
4.8.2	MIT	10	2016-04-05 - 02:15	over 9 years
4.8.1	MIT	10	2016-04-04 - 15:43	over 9 years
4.8.0	MIT	10	2016-04-04 - 14:54	over 9 years
4.7.0	MIT	10	2016-03-31 - 15:46	over 9 years
4.6.1	MIT	9	2016-03-02 - 18:09	almost 10 years
4.6.0	MIT	9	2016-03-02 - 03:24	almost 10 years
4.5.1	MIT	9	2016-02-22 - 06:42	almost 10 years
4.5.0	MIT	9	2016-02-17 - 08:39	almost 10 years
4.4.0	MIT	9	2016-02-16 - 07:10	almost 10 years
4.3.0	MIT	9	2016-02-08 - 08:57	almost 10 years
4.2.1	MIT	9	2016-02-03 - 16:00	almost 10 years
4.2.0	MIT	9	2016-02-02 - 08:50	almost 10 years