logo

Database

Asymmetric denial of service - ReDoS In node-lodash

Description

Regular Expression Denial of Service (ReDoS) in lodash All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-285002. NVD-2020-285003. OSV-DEBIAN-2020-285004. OSV-2020-285005. GCVE-2020-285006. SECURITY-TRACKER-CVE-2020-28500

References

1. https://github.com/github/advisory-database/pull/61392. https://github.com/lodash/lodash/pull/50653. https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb74. https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a5. https://www.oracle.com/security-alerts/cpuoct2021.html6. https://www.oracle.com/security-alerts/cpujul2022.html7. https://www.oracle.com/security-alerts/cpujan2022.html8. https://www.oracle.com//security-alerts/cpujul2021.html9. https://security.netapp.com/advisory/ntap-20210312-000610. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml11. https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L812. https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.