lodash-es 3.9.3

Direct Vulnerabilities

Known vulnerabilities in the lodash-es package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of `options.imports` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to the incomplete fix for CVE-2021-23337. How to fix Arbitrary Code Injection? Upgrade `lodash-es` to version 4.18.1 or higher.	<4.18.1
H Code Injection Affected versions of this package are vulnerable to Code Injection due the improper validation of `options.variable` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. How to fix Code Injection? Upgrade `lodash-es` to version 4.17.21 or higher.	<4.17.21
M Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. POC var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `lodash-es` to version 4.17.21 or higher.	<4.17.21
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution via the `set` and `setwith` functions due to improper user input sanitization. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.20 or higher.	<4.17.20
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The function `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` payload. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.12 or higher.	<4.17.12
M Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `lodash-es` to version 4.17.11 or higher.	<4.17.11
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The functions `merge`, `mergeWith`, and `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype`. This is due to an incomplete fix to `CVE-2018-3721`. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.11 or higher.	<4.17.11
M Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.5 or higher.	<4.17.5

Vulnerability

Vulnerable Version

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to the incomplete fix for CVE-2021-23337.

How to fix Arbitrary Code Injection?

Upgrade lodash-es to version 4.18.1 or higher.

<4.18.1

Code Injection

Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

How to fix Code Injection?

Upgrade lodash-es to version 4.17.21 or higher.

<4.17.21

Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

POC

var lo = require('lodash');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0)

var time1 = Date.now();
lo.toNumber(s)
var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1)

var time2 = Date.now();
lo.trimEnd(s)
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade lodash-es to version 4.17.21 or higher.

<4.17.21

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution via the set and setwith functions due to improper user input sanitization.

How to fix Prototype Pollution?

Upgrade lodash-es to version 4.17.20 or higher.

<4.17.20

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

How to fix Prototype Pollution?

Upgrade lodash-es to version 4.17.12 or higher.

<4.17.12

Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade lodash-es to version 4.17.11 or higher.

<4.17.11

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721.

How to fix Prototype Pollution?

Upgrade lodash-es to version 4.17.11 or higher.

<4.17.11

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

How to fix Prototype Pollution?

Upgrade lodash-es to version 4.17.5 or higher.

<4.17.5

lodash-es@3.9.3

Lodash exported as ES modules.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

POC