Skip to content

Regular Expression Denial of Service (ReDoS) in lodash

Moderate severity GitHub Reviewed Published Jul 19, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm lodash (npm)

Affected versions

< 4.17.11

Patched versions

4.17.11
npm lodash-amd (npm)
< 4.17.11
4.17.11
npm lodash-es (npm)
< 4.17.11
4.17.11

Description

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

References

Reviewed Jul 19, 2019
Published to the GitHub Advisory Database Jul 19, 2019
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.222%
(60th percentile)

Weaknesses

CVE ID

CVE-2019-1010266

GHSA ID

GHSA-x5rq-j2xg-h7qm

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.