Fluid Attacks Database

Description

Regular Expression Denial of Service (ReDoS) in lodash lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
debian 11	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
npm	lodash-amd	>=4.7.0 <4.17.11	4.17.11
rubygems	lodash-rails	>=4.7.0 <4.17.11	4.17.11
npm	lodash-es	>=4.7.0 <4.17.11	4.17.11
npm	lodash	>=4.7.0 <4.17.11	4.17.11
debian 12	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1
debian 14	node-lodash	>=0 <4.17.11+dfsg-1	4.17.11+dfsg-1

Aliases

1. CVE-2019-10102662. NVD-2019-10102663. OSV-DEBIAN-2019-10102664. OSV-2019-10102665. GCVE-2019-10102666. SECURITY-TRACKER-CVE-2019-1010266

References

1. https://github.com/lodash/lodash/issues/33592. https://github.com/github/advisory-database/pull/61383. https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd62673474. https://github.com/lodash/lodash/wiki/Changelog5. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml6. https://security.netapp.com/advisory/ntap-20190919-0004