Version 4.17.21
lodash
A modern JavaScript utility library delivering modularity, performance, & extras.
Install Instructions
npm install lodash
Current Version Release Date February 20, 2021
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/lodash@4.17.21
Find lodash
vulnerabilities in your supply chain.
lodash Vulnerabilities
Sort by
CVVS Score
CVSS Score | CVE | CWE(s) | EPSS Score | EPSS % | Impacted Versions |
---|---|---|---|---|---|
Medium 5.6 | CVE-2018-16487 | CWE-400 | 0.00128 | 0.48358 |
|
Medium 6.5 | CVE-2019-1010266 | CWE-400, CWE-770 | 0.004 | 0.73932 |
|
High 9.1 | CVE-2019-10744 | CWE-20, CWE-1321 | 0.02082 | 0.8932 |
|
Medium 5.3 | CVE-2020-28500 | CWE-400 | 0.00231 | 0.61331 |
|
High 7.4 | CVE-2020-8203 | CWE-770, CWE-1321 | 0.01667 | 0.87929 |
|
High 7.2 | CVE-2021-23337 | CWE-77, CWE-94 | 0.00858 | 0.82573 |
|
Medium 6.5 | CVE-2018-3721 | CWE-471, CWE-400, CWE-284, CWE-1321 | 0.00122 | 0.47315 |
|
lodash Vulnerability Remediation Guidance
CVE | Description | Full list of Impacted Versions | Fix |
---|---|---|---|
CVE-2018-16487 | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) | Patch → 4.17.21 |
CVE-2019-1010266 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) | Patch → 4.17.21 |
CVE-2019-10744 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.15.0, 0.1.0, 1.1.0, 1.3.0 (Show all) | Patch → 4.17.21 |
CVE-2020-28500 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) | Patch → 4.17.21 |
CVE-2020-8203 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) | Patch → 4.17.21 |
CVE-2021-23337 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | 4.17.5, 4.17.4, 4.17.2, 4.17.9, 4.17.18, 4.17.12, 4.17.13, 4.17.14 (Show all) | Patch → 4.17.21 |
CVE-2018-3721 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. | 4.17.4, 4.17.2, 4.15.0, 0.1.0, 1.1.0, 1.3.0, 3.9.0, 0.3.0 (Show all) | Patch → 4.17.21 |
Instantly see if these lodash
vulnerabilities affect your code.