Search for packages
| purl | pkg:npm/lodash@4.17.21 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-jsc5-qvjm-6kek
Aliases: CVE-2025-13465 GHSA-xxjr-mmjv-4gpg |
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-e3y9-r7uz-pkfg | Regular Expression Denial of Service (ReDoS) in lodash All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash'); function build_blank(n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1); var time2 = Date.now(); lo.trimEnd(s); var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2); ``` |
CVE-2020-28500
GHSA-29mw-wpgm-hmr9 |
| VCID-fhw1-4c1k-sfh3 | Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function. |
CVE-2021-23337
GHSA-35jh-r3h4-6jhm |