lodash-es@4.11.0 vulnerabilities

Lodash exported as ES modules.

latest version

4.17.21
latest non vulnerable version

4.17.21
first published

10 years ago
latest version published

4 years ago
licenses detected
- MIT
  >=0
View lodash-es package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the lodash-es package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Code Injection Affected versions of this package are vulnerable to Code Injection via `template`. PoC `var _ = require('lodash'); _.template('', { variable: '){console.log(process.env)}; with(obj' })()` How to fix Code Injection? Upgrade `lodash-es` to version 4.17.21 or higher.	<4.17.21
M Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. POC var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `lodash-es` to version 4.17.21 or higher.	<4.17.21
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution via the `set` and `setwith` functions due to improper user input sanitization. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.20 or higher.	<4.17.20
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The function `zipObjectDeep` can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.20 or higher.	>=4.1.0 <4.17.20
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The function `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` payload. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.12 or higher.	<4.17.12
M Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `lodash-es` to version 4.17.11 or higher.	<4.17.11
H Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The functions `merge`, `mergeWith`, and `defaultsDeep` could be tricked into adding or modifying properties of `Object.prototype`. This is due to an incomplete fix to `CVE-2018-3721`. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.11 or higher.	<4.17.11
M Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.17.5 or higher.	<4.17.5

Go back to all versions of this package

lodash-es@4.11.0 vulnerabilities

Lodash exported as ES modules.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC

POC