Version 4.17.21

lodash

A modern JavaScript utility library delivering modularity, performance, & extras.

Install Instructions

npm install lodash
Current Version Release Date February 20, 2021
Package URL (purl) pkg:npm/lodash@4.17.21

Find lodash vulnerabilities in your supply chain.

Scan for Free

lodash Vulnerabilities

Sort by
icon CVVS Score
  • icon CVVS Score
  • icon CVVS Score
  • icon CVE
  • icon CVE
CVSS Score question mark icon CVE question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
Medium 5.6 CVE-2018-16487 CWE-400 0.00128 0.48358
  • 4.0.0–4.17.10
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0
Medium 6.5 CVE-2019-1010266 CWE-400, CWE-770 0.004 0.73932
  • 4.0.0–4.17.10
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0
High 9.1 CVE-2019-10744 CWE-20, CWE-1321 0.02082 0.8932
  • 4.0.0–4.17.11
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0
Medium 5.3 CVE-2020-28500 CWE-400 0.00231 0.61331
  • 4.0.0–4.17.20
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0
High 7.4 CVE-2020-8203 CWE-770, CWE-1321 0.01667 0.87929
  • 4.0.0–4.17.18
  • 3.7.0–3.10.1
High 7.2 CVE-2021-23337 CWE-77, CWE-94 0.00858 0.82573
  • 4.0.0–4.17.20
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0
Medium 6.5 CVE-2018-3721 CWE-471, CWE-400, CWE-284, CWE-1321 0.00122 0.47315
  • 4.0.0–4.17.4
  • 3.0.0–3.10.1
  • 2.0.0–2.4.2
  • 1.0.0–1.3.1
  • 0.1.0–0.10.0

lodash Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2018-16487 A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) Patch → 4.17.21
CVE-2019-1010266 lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) Patch → 4.17.21
CVE-2019-10744 Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) Patch → 4.17.21
CVE-2020-28500 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) Patch → 4.17.21
CVE-2020-8203 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) Patch → 4.17.21
CVE-2021-23337 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) Patch → 4.17.21
CVE-2018-3721 lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. 4.17.4, 4.17.2, 4.15.0, 0.1.0, 1.1.0, 1.3.0, 3.9.0, 0.3.0 (Show all) Patch → 4.17.21

Instantly see if these lodash vulnerabilities affect your code.

Scan for Free

Frequent Asked Questions

What is Lodash used for?
Lodash is a JavaScript library that provides utility functions for common programming tasks.
How do I install Lodash?
You can install Lodash using npm: `npm install lodash`.
Is Lodash still relevant?
Yes, Lodash remains a popular utility library, especially for working with arrays, objects, and other data types in JavaScript.