Version 4.17.21

lodash

A modern JavaScript utility library delivering modularity, performance, & extras.

Install Instructions

npm install lodash

Current Version Release Date February 20, 2021

Language JavaScript/TypeScript

Package URL (purl) pkg:npm/lodash@4.17.21

Links and Resources

Declared License

MIT

GitHub Stars

59,911

Size

49,141 KB

Website

GitHub

Find lodash vulnerabilities in your supply chain.

Scan for Free

lodash Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2018-16487	Medium 5.6	CWE-400	0.00128	0.49057	4.0.0–4.17.10 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0
CVE-2018-3721	Medium 6.5	CWE-284, CWE-471, CWE-400, CWE-1321	0.00122	0.4805	4.0.0–4.17.4 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0
CVE-2019-1010266	Medium 6.5	CWE-400, CWE-770	0.004	0.7434	4.0.0–4.17.10 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0
CVE-2019-10744	High 9.1	CWE-1321, CWE-20	0.02082	0.89521	4.0.0–4.17.11 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0
CVE-2020-28500	Medium 5.3	CWE-400	0.00231	0.61944	4.0.0–4.17.20 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0
CVE-2020-8203	High 7.4	CWE-1321, CWE-770	0.01645	0.88071	4.0.0–4.17.18 3.7.0–3.10.1
CVE-2021-23337	High 7.2	CWE-94, CWE-77	0.00858	0.82924	4.0.0–4.17.20 3.0.0–3.10.1 2.0.0–2.4.2 1.0.0–1.3.1 0.1.0–0.10.0

lodash Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2021-23337	Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.	4.17.2, 4.17.4, 4.17.5, 4.17.18, 4.17.9, 4.17.12, 4.17.13, 4.17.14 (Show all)	Patch → 4.17.21
CVE-2020-8203	Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.	4.17.2, 4.17.4, 4.17.5, 4.17.18, 4.17.9, 4.17.12, 4.17.13, 4.17.14 (Show all)	Patch → 4.17.21
CVE-2020-28500	Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.	4.17.2, 4.17.4, 4.17.5, 4.17.18, 4.17.9, 4.17.12, 4.17.13, 4.17.14 (Show all)	Patch → 4.17.21
CVE-2019-10744	Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.	4.17.2, 4.17.4, 4.17.5, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all)	Patch → 4.17.21
CVE-2019-1010266	lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.	4.17.2, 4.17.4, 4.17.5, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all)	Patch → 4.17.21
CVE-2018-3721	lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.	4.17.2, 4.17.4, 4.15.0, 0.1.0, 1.1.0, 1.3.0, 3.9.0, 4.8.1 (Show all)	Patch → 4.17.21
CVE-2018-16487	A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.	4.17.2, 4.17.4, 4.17.5, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all)	Patch → 4.17.21

Instantly see if these lodash vulnerabilities affect your code.

Scan for Free

Frequent Asked Questions

What is Lodash used for?

Lodash is a JavaScript library that provides utility functions for common programming tasks.

How do I install Lodash?

You can install Lodash using npm: `npm install lodash`.

Is Lodash still relevant?

Yes, Lodash remains a popular utility library, especially for working with arrays, objects, and other data types in JavaScript.