Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2bwn-573p-rqay
Vulnerability ID VCID-2bwn-573p-rqay
Aliases CVE-2019-1010266
GHSA-x5rq-j2xg-h7qm
Summary Regular Expression Denial of Service (ReDoS) in lodash lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
cvssv3 6.5 https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
cvssv3.1 6.5 https://github.com/github/advisory-database/pull/6138
generic_textual MODERATE https://github.com/github/advisory-database/pull/6138
cvssv3.1 6.5 https://github.com/lodash/lodash
generic_textual MODERATE https://github.com/lodash/lodash
cvssv3.1 6.5 https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
generic_textual MODERATE https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
cvssv3.1 6.5 https://github.com/lodash/lodash/issues/3359
generic_textual MODERATE https://github.com/lodash/lodash/issues/3359
cvssv3.1 6.5 https://github.com/lodash/lodash/wiki/Changelog
generic_textual MODERATE https://github.com/lodash/lodash/wiki/Changelog
cvssv3.1 6.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
cvssv3.1 6.5 https://security.netapp.com/advisory/ntap-20190919-0004
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20190919-0004
cvssv3.1 6.5 https://snyk.io/vuln/SNYK-JS-LODASH-73639
generic_textual MODERATE https://snyk.io/vuln/SNYK-JS-LODASH-73639
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json
https://api.first.org/data/v1/epss?cve=CVE-2019-1010266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
https://github.com/github/advisory-database/pull/6138
https://github.com/lodash/lodash
https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
https://github.com/lodash/lodash/issues/3359
https://github.com/lodash/lodash/wiki/Changelog
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
https://security.netapp.com/advisory/ntap-20190919-0004
https://snyk.io/vuln/SNYK-JS-LODASH-73639
1743096 https://bugzilla.redhat.com/show_bug.cgi?id=1743096
RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/github/advisory-database/pull/6138
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/lodash/lodash
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/lodash/lodash/issues/3359
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/lodash/lodash/wiki/Changelog
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20190919-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://snyk.io/vuln/SNYK-JS-LODASH-73639
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.43609
EPSS Score 0.00211
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:04:37.645368+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json 38.0.0