Subscribe on changes!

CVE-2021-23337 and CVE-2020-28500 in Lodash (prior to 4.17.21)

avatar
imrichard
Jul 10th 2021

Version

3.1.4

Reproduction link

https://www.cvedetails.com/vulnerability-list/vendor_id-20100/product_id-57083/year-2021/Lodash-Lodash.html

Steps to reproduce

Dependency Lodash 4.17.19 is Vulnerable Library

CVE-2021-23337: Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVE-2020-28500: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE Details: https://www.cvedetails.com/vulnerability-list/vendor_id-20100/product_id-57083/year-2021/Lodash-Lodash.html

Solution: Upgrade to version lodash-4.17.21

What is expected?

Security Vulnerabilities

What is actually happening?

Security Vulnerabilities

avatar
posva
Jul 10th 2021

Lodash is a dev dependency, it's not exposed in the final package

GitHub Track