NodeJS/lodash/4.17.20
Lodash modular utilities.
https://www.npmjs.com/package/lodash
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in lodash
Published date: 2022-01-06T20:30:46Z
CVE: CVE-2020-28500
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');
function buildblank(n) {
var ret = 1
for (var i = 0; i < n; i++) {
ret += "
}
return ret +
1";
}
var s = buildblank(50000) var time0 = Date.now();
lo.trim(s)
var timecost0 = Date.now() - time0;
console.log("timecost0: + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log(
timecost1: " + timecost1);
var time2 = Date.now();
lo.trimEnd(s);
var timecost2 = Date.now() - time2;
console.log("timecost2: " + time_cost2);
```
Affected versions:
["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "4.17.11", "4.17.12", "4.17.13", "4.17.14", "4.17.15", "4.17.16", "4.17.17", "4.17.18", "4.17.19", "4.17.20"]
Secure versions:
[]
Command Injection in lodash
Published date: 2021-05-06T16:05:51Z
CVE: CVE-2021-23337
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Affected versions:
["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "4.17.11", "4.17.12", "4.17.13", "4.17.14", "4.17.15", "4.17.16", "4.17.17", "4.17.18", "4.17.19", "4.17.20"]
Secure versions:
[]
Withdrawn: Arbitrary code execution in lodash
Published date: 2021-12-03T20:37:32Z
CVE: CVE-2021-41720
Links:
Withdrawn
GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.
CVE description
"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
Affected versions:
["0.1.0", "0.2.0", "0.2.1", "0.2.2", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.4.1", "0.4.2", "0.5.0-rc.1", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.7.0", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0-rc.3", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.0.0", "3.0.1", "3.1.0", "3.2.0", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.6.0", "1.0.2", "3.7.0", "2.4.2", "3.8.0", "3.9.0", "3.9.1", "3.9.2", "3.9.3", "3.10.0", "3.10.1", "4.0.0", "4.0.1", "4.1.0", "4.2.0", "4.2.1", "4.3.0", "4.4.0", "4.5.0", "4.5.1", "4.6.0", "4.6.1", "4.7.0", "4.8.0", "4.8.1", "4.8.2", "4.9.0", "4.10.0", "4.11.0", "4.11.1", "4.11.2", "4.12.0", "4.13.0", "4.13.1", "4.14.0", "4.14.1", "4.14.2", "4.15.0", "4.16.0", "4.16.1", "4.16.2", "4.16.3", "4.16.4", "4.16.5", "4.16.6", "4.17.0", "4.17.1", "4.17.2", "4.17.3", "4.17.4", "4.17.5", "4.17.9", "4.17.10", "4.17.11", "4.17.12", "4.17.13", "4.17.14", "4.17.15", "4.17.16", "4.17.17", "4.17.18", "4.17.19", "4.17.20", "4.17.21"]
Secure versions:
[]
114 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.17.21 | MIT | 1 | 2021-02-20 - 15:42 | about 3 years |
| 4.17.20 | MIT | 3 | 2020-08-13 - 16:53 | over 3 years |
| 4.17.19 | MIT | 3 | 2020-07-08 - 17:14 | almost 4 years |
| 4.17.18 | MIT | 5 | 2020-07-08 - 16:07 | almost 4 years |
| 4.17.17 | MIT | 5 | 2020-07-08 - 12:08 | almost 4 years |
| 4.17.16 | MIT | 5 | 2020-07-08 - 10:50 | almost 4 years |
| 4.17.15 | MIT | 5 | 2019-07-19 - 02:28 | almost 5 years |
| 4.17.14 | MIT | 4 | 2019-07-10 - 15:44 | almost 5 years |
| 4.17.13 | MIT | 4 | 2019-07-09 - 22:24 | almost 5 years |
| 4.17.12 | MIT | 4 | 2019-07-09 - 21:07 | almost 5 years |
| 4.17.11 | MIT | 5 | 2018-09-12 - 18:32 | over 5 years |
| 4.17.10 | MIT | 8 | 2018-04-24 - 18:07 | about 6 years |
| 4.17.9 | MIT | 8 | 2018-04-24 - 17:44 | about 6 years |
| 4.17.5 | MIT | 8 | 2018-02-04 - 00:34 | about 6 years |
| 4.17.4 | MIT | 10 | 2016-12-31 - 22:33 | over 7 years |
| 4.17.3 | MIT | 10 | 2016-12-24 - 14:25 | over 7 years |
| 4.17.2 | MIT | 10 | 2016-11-16 - 07:21 | over 7 years |
| 4.17.1 | MIT | 10 | 2016-11-15 - 07:03 | over 7 years |
| 4.17.0 | MIT | 10 | 2016-11-14 - 07:00 | over 7 years |
| 4.16.6 | MIT | 10 | 2016-11-01 - 06:38 | over 7 years |
| 4.16.5 | MIT | 10 | 2016-10-31 - 06:49 | over 7 years |
| 4.16.4 | MIT | 10 | 2016-10-06 - 15:13 | over 7 years |
| 4.16.3 | MIT | 10 | 2016-10-03 - 16:43 | over 7 years |
| 4.16.2 | MIT | 10 | 2016-09-26 - 03:11 | over 7 years |
| 4.16.1 | MIT | 10 | 2016-09-20 - 16:59 | over 7 years |
| 4.16.0 | MIT | 10 | 2016-09-19 - 14:59 | over 7 years |
| 4.15.0 | MIT | 10 | 2016-08-12 - 14:39 | over 7 years |
| 4.14.2 | MIT | 10 | 2016-08-08 - 15:35 | over 7 years |
| 4.14.1 | MIT | 10 | 2016-07-29 - 14:49 | almost 8 years |
| 4.14.0 | MIT | 10 | 2016-07-24 - 18:40 | almost 8 years |
| 4.13.1 | MIT | 10 | 2016-05-23 - 15:59 | almost 8 years |
| 4.13.0 | MIT | 10 | 2016-05-23 - 05:07 | almost 8 years |
| 4.12.0 | MIT | 10 | 2016-05-08 - 19:25 | almost 8 years |
| 4.11.2 | MIT | 10 | 2016-05-02 - 15:01 | almost 8 years |
| 4.11.1 | MIT | 10 | 2016-04-14 - 07:21 | about 8 years |
| 4.11.0 | MIT | 10 | 2016-04-13 - 15:32 | about 8 years |
| 4.10.0 | MIT | 10 | 2016-04-11 - 14:43 | about 8 years |
| 4.9.0 | MIT | 10 | 2016-04-08 - 15:22 | about 8 years |
| 4.8.2 | MIT | 10 | 2016-04-05 - 02:15 | about 8 years |
| 4.8.1 | MIT | 10 | 2016-04-04 - 15:43 | about 8 years |
| 4.8.0 | MIT | 10 | 2016-04-04 - 14:54 | about 8 years |
| 4.7.0 | MIT | 10 | 2016-03-31 - 15:46 | about 8 years |
| 4.6.1 | MIT | 10 | 2016-03-02 - 18:09 | about 8 years |
| 4.6.0 | MIT | 10 | 2016-03-02 - 03:24 | about 8 years |
| 4.5.1 | MIT | 10 | 2016-02-22 - 06:42 | about 8 years |
| 4.5.0 | MIT | 10 | 2016-02-17 - 08:39 | about 8 years |
| 4.4.0 | MIT | 10 | 2016-02-16 - 07:10 | about 8 years |
| 4.3.0 | MIT | 10 | 2016-02-08 - 08:57 | about 8 years |
| 4.2.1 | MIT | 10 | 2016-02-03 - 16:00 | about 8 years |
| 4.2.0 | MIT | 10 | 2016-02-02 - 08:50 | about 8 years |
| 4.1.0 | MIT | 10 | 2016-01-29 - 16:33 | about 8 years |
| 4.0.1 | MIT | 10 | 2016-01-25 - 16:06 | over 8 years |
| 4.0.0 | MIT | 10 | 2016-01-12 - 23:13 | over 8 years |
| 3.10.1 | MIT | 10 | 2015-08-04 - 06:05 | over 8 years |
| 3.10.0 | MIT | 10 | 2015-06-30 - 15:13 | almost 9 years |
| 3.9.3 | MIT | 10 | 2015-05-26 - 01:47 | almost 9 years |
| 3.9.2 | MIT | 10 | 2015-05-24 - 20:57 | almost 9 years |
| 3.9.1 | MIT | 10 | 2015-05-19 - 21:00 | almost 9 years |
| 3.9.0 | MIT | 10 | 2015-05-19 - 18:26 | almost 9 years |
| 3.8.0 | MIT | 10 | 2015-05-01 - 15:45 | almost 9 years |
| 3.7.0 | MIT | 10 | 2015-04-16 - 15:47 | about 9 years |
| 3.6.0 | MIT | 9 | 2015-03-25 - 15:36 | about 9 years |
| 3.5.0 | MIT | 9 | 2015-03-09 - 05:01 | about 9 years |
| 3.4.0 | MIT | 9 | 2015-03-06 - 16:44 | about 9 years |
| 3.3.1 | MIT | 9 | 2015-02-24 - 16:02 | about 9 years |
| 3.3.0 | MIT | 9 | 2015-02-20 - 17:08 | about 9 years |
| 3.2.0 | MIT | 9 | 2015-02-12 - 17:01 | about 9 years |
| 3.1.0 | MIT | 9 | 2015-02-03 - 16:53 | about 9 years |
| 3.0.1 | MIT | 9 | 2015-01-30 - 09:33 | about 9 years |
| 3.0.0 | MIT | 9 | 2015-01-26 - 15:09 | over 9 years |
| 2.4.2 | MIT | 9 | 2015-04-26 - 21:04 | about 9 years |
| 2.4.1 | MIT | 9 | 2013-12-03 - 16:51 | over 10 years |
| 2.4.0 | MIT | 9 | 2013-11-26 - 19:40 | over 10 years |
| 2.3.0 | MIT | 9 | 2013-11-11 - 17:30 | over 10 years |
| 2.2.1 | MIT | 9 | 2013-10-03 - 18:29 | over 10 years |
| 2.2.0 | MIT | 9 | 2013-09-29 - 21:52 | over 10 years |
| 2.1.0 | MIT | 9 | 2013-09-23 - 05:57 | over 10 years |
| 2.0.0 | MIT | 9 | 2013-09-14 - 04:22 | over 10 years |
| 1.3.1 | MIT | 9 | 2013-09-04 - 14:25 | over 10 years |
| 1.3.0 | MIT | 9 | 2013-09-04 - 14:25 | over 10 years |
| 1.2.1 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
| 1.2.0 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
| 1.1.1 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
| 1.1.0 | MIT | 9 | 2013-09-04 - 14:23 | over 10 years |
| 1.0.2 | MIT | 9 | 2015-03-30 - 15:58 | about 9 years |
| 1.0.1 | MIT | 9 | 2013-08-31 - 05:16 | over 10 years |
| 1.0.0 | MIT | 9 | 2013-08-31 - 05:11 | over 10 years |
| 1.0.0-rc.3 | MIT | 9 | 2013-08-31 - 05:08 | over 10 years |
| 1.0.0-rc.2 | MIT | 9 | 2013-08-31 - 05:05 | over 10 years |
| 1.0.0-rc.1 | MIT | 9 | 2013-08-31 - 05:00 | over 10 years |
| 0.10.0 | MIT | 9 | 2013-08-31 - 04:56 | over 10 years |
| 0.9.2 | MIT | 9 | 2013-08-31 - 04:52 | over 10 years |
| 0.9.1 | MIT | 9 | 2013-08-31 - 04:49 | over 10 years |
| 0.9.0 | MIT | 9 | 2013-08-31 - 04:46 | over 10 years |
| 0.8.2 | MIT | 9 | 2012-10-10 - 07:51 | over 11 years |
| 0.8.1 | MIT | 9 | 2012-10-04 - 08:53 | over 11 years |
| 0.8.0 | MIT | 9 | 2012-10-02 - 06:49 | over 11 years |
| 0.7.0 | MIT | 9 | 2012-09-11 - 16:24 | over 11 years |
| 0.6.1 | MIT | 9 | 2012-08-30 - 08:01 | over 11 years |
| 0.6.0 | MIT | 9 | 2012-08-28 - 16:01 | over 11 years |