org.webjars.npm:lodash 3.5.0 vulnerabilities

Known vulnerabilities in the org.webjars.npm:lodash package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Prototype Pollution org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution through the `zipObjectDeep` function due to improper user input sanitization in the `baseZipObject` function. How to fix Prototype Pollution? Upgrade `org.webjars.npm:lodash` to version 4.17.17 or higher.	[,4.17.17)
H Code Injection org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Code Injection via `template`. PoC `var _ = require('lodash'); _.template('', { variable: '){console.log(process.env)}; with(obj' })()` How to fix Code Injection? Upgrade `org.webjars.npm:lodash` to version 4.17.21 or higher.	[,4.17.21)
M Regular Expression Denial of Service (ReDoS) org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. POC var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.webjars.npm:lodash` to version 4.17.21 or higher.	[,4.17.21)
H Prototype Pollution org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the `set` and `setwith` functions due to improper user input sanitization. How to fix Prototype Pollution? Upgrade `org.webjars.npm:lodash` to version 4.17.17 or higher.	[,4.17.17)
H Prototype Pollution org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution. The function `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` payload. How to fix Prototype Pollution? Upgrade `org.webjars.npm:lodash` to version 4.17.12 or higher.	[,4.17.12)
M Regular Expression Denial of Service (ReDoS) org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.webjars.npm:lodash` to version 4.17.11 or higher.	[,4.17.11)
H Prototype Pollution org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution. The functions `merge`, `mergeWith`, and `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype`. This is due to an incomplete fix to `CVE-2018-3721`. How to fix Prototype Pollution? Upgrade `org.webjars.npm:lodash` to version 4.17.11 or higher.	[,4.17.11)
M Prototype Pollution org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. How to fix Prototype Pollution? Upgrade `org.webjars.npm:lodash` to version 4.17.5 or higher.	[,4.17.5)

Vulnerability

Vulnerable Version

Prototype Pollution

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution through the zipObjectDeep function due to improper user input sanitization in the baseZipObject function.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:lodash to version 4.17.17 or higher.

[,4.17.17)

Code Injection

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Code Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

How to fix Code Injection?

Upgrade org.webjars.npm:lodash to version 4.17.21 or higher.

[,4.17.21)

Regular Expression Denial of Service (ReDoS)

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

POC

var lo = require('lodash');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0)

var time1 = Date.now();
lo.toNumber(s)
var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1)

var time2 = Date.now();
lo.trimEnd(s)
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.webjars.npm:lodash to version 4.17.21 or higher.

[,4.17.21)

Prototype Pollution

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the set and setwith functions due to improper user input sanitization.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:lodash to version 4.17.17 or higher.

[,4.17.17)

Prototype Pollution

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:lodash to version 4.17.12 or higher.

[,4.17.12)

Regular Expression Denial of Service (ReDoS)

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.webjars.npm:lodash to version 4.17.11 or higher.

[,4.17.11)

Prototype Pollution

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:lodash to version 4.17.11 or higher.

[,4.17.11)

Prototype Pollution

org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:lodash to version 4.17.5 or higher.

[,4.17.5)

org.webjars.npm:lodash@3.5.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

PoC

POC