Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/lodash-rails@4.17.11

Type gem

Namespace

Name lodash-rails

Version 4.17.11

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.17.21

Latest_non_vulnerable_version 4.17.21

Affected_by_vulnerabilities

url VCID-aecq-1mad-n7h1

vulnerability_id VCID-aecq-1mad-n7h1

summary

Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions.

Steps to reproduce (provided by reporter Liyuan Chen):
```js
var lo = require('lodash');

function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28500.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28500.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-28500

reference_id

reference_type

scores

value	0.00245
scoring_system	epss
scoring_elements	0.47926
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-28500

reference_url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_url

https://github.com/github/advisory-database/pull/6139

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/6139

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8

reference_url

https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a

reference_url

https://github.com/lodash/lodash/pull/5065

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/5065

reference_url

https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7

reference_url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-1018905

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-1018905

reference_url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1928954
reference_id	1928954
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1928954

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086
reference_id	985086
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-28500

reference_id

CVE-2020-28500

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28500

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml

reference_id

CVE-2020-28500.YML

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml

reference_url

https://github.com/advisories/GHSA-29mw-wpgm-hmr9

reference_id

GHSA-29mw-wpgm-hmr9

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-29mw-wpgm-hmr9

reference_url	https://access.redhat.com/errata/RHSA-2021:2179
reference_id	RHSA-2021:2179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2179

reference_url	https://access.redhat.com/errata/RHSA-2021:2438
reference_id	RHSA-2021:2438
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2438

reference_url	https://access.redhat.com/errata/RHSA-2021:2543
reference_id	RHSA-2021:2543
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2543

reference_url	https://access.redhat.com/errata/RHSA-2021:3459
reference_id	RHSA-2021:3459
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3459

reference_url	https://access.redhat.com/errata/RHSA-2022:6429
reference_id	RHSA-2022:6429
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6429

fixed_packages

url	pkg:gem/lodash-rails@4.17.21
purl	pkg:gem/lodash-rails@4.17.21
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.21

aliases CVE-2020-28500, GHSA-29mw-wpgm-hmr9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aecq-1mad-n7h1

url VCID-k8q3-p39p-7ufs

vulnerability_id VCID-k8q3-p39p-7ufs

summary

Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype
Pollution. The functions `pick`, `set`, `setWith`, `update`,
`updateWith`, and `zipObjectDeep` allow a malicious user to
modify the prototype of Object if the property identifiers are
user-supplied. Being affected by this issue requires manipulating
objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an
existing property that will exist on all objects and may lead to
Denial of Service or Code Execution under specific circumstances.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8203.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8203.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8203

reference_id

reference_type

scores

value	0.02546
scoring_system	epss
scoring_elements	0.8575
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8203

reference_url

https://github.com/advisories/GHSA-p6mc-m468-83gw

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-p6mc-m468-83gw

reference_url

https://github.com/github/advisory-database/pull/2884

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/2884

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12

reference_url

https://github.com/lodash/lodash/issues/4744

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/4744

reference_url

https://github.com/lodash/lodash/issues/4874

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/4874

reference_url

https://github.com/lodash/lodash/wiki/Changelog#v41719

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/wiki/Changelog#v41719

reference_url

https://hackerone.com/reports/712065

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/712065

reference_url

https://hackerone.com/reports/864701

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/864701

reference_url

https://security.netapp.com/advisory/ntap-20200724-0006

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20200724-0006

reference_url

https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1857412
reference_id	1857412
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1857412

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283
reference_id	965283
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8203

reference_id

CVE-2020-8203

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8203

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml

reference_id

CVE-2020-8203.YML

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml

reference_url	https://access.redhat.com/errata/RHSA-2020:3369
reference_id	RHSA-2020:3369
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3369

reference_url	https://access.redhat.com/errata/RHSA-2020:3370
reference_id	RHSA-2020:3370
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3370

reference_url	https://access.redhat.com/errata/RHSA-2020:3807
reference_id	RHSA-2020:3807
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3807

reference_url	https://access.redhat.com/errata/RHSA-2020:4298
reference_id	RHSA-2020:4298
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:4298

reference_url	https://access.redhat.com/errata/RHSA-2020:5179
reference_id	RHSA-2020:5179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:5179

reference_url	https://access.redhat.com/errata/RHSA-2020:5611
reference_id	RHSA-2020:5611
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:5611

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url	pkg:gem/lodash-rails@4.17.19
purl	pkg:gem/lodash-rails@4.17.19
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.19

aliases CVE-2020-8203, GHSA-p6mc-m468-83gw

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8q3-p39p-7ufs

url VCID-xwr9-5r2s-vucx

vulnerability_id VCID-xwr9-5r2s-vucx

summary

Prototype Pollution in lodash
Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

references

reference_url

https://access.redhat.com/errata/RHSA-2019:3024

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2019:3024

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_id

reference_type

scores

value	0.18518
scoring_system	epss
scoring_elements	0.95372
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_url

https://github.com/lodash/lodash/pull/4336

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/4336

reference_url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_url	https://security.netapp.com/advisory/ntap-20191004-0005/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20191004-0005/

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_url	https://www.npmjs.com/advisories/1065
reference_id
reference_type
scores
url	https://www.npmjs.com/advisories/1065

reference_url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497
reference_id	1739497
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079
reference_id	933079
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_id

CVE-2019-10744

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_id

CVE-2019-10744.YML

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_id

GHSA-jf85-cpcp-j695

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_url	https://access.redhat.com/errata/RHSA-2020:2362
reference_id	RHSA-2020:2362
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2362

reference_url	https://access.redhat.com/errata/RHSA-2020:2819
reference_id	RHSA-2020:2819
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2819

reference_url	https://access.redhat.com/errata/RHSA-2021:5134
reference_id	RHSA-2021:5134
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5134

reference_url	https://access.redhat.com/errata/RHSA-2022:5101
reference_id	RHSA-2022:5101
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5101

fixed_packages

url	pkg:gem/lodash-rails@4.17.12
purl	pkg:gem/lodash-rails@4.17.12
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.12

aliases CVE-2019-10744, GHSA-jf85-cpcp-j695

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xwr9-5r2s-vucx

Fixing_vulnerabilities

url VCID-r83z-aktw-sbav

vulnerability_id VCID-r83z-aktw-sbav

summary

Denial of Service
Prototype pollution attack (lodash / constructor.prototype)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_id

reference_type

scores

value	0.00468
scoring_system	epss
scoring_elements	0.64828
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_url

https://hackerone.com/reports/380873

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/380873

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878
reference_id	1671878
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_id

493

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_id

CVE-2018-16487

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_id

CVE-2018-16487.YML

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

reference_id

GHSA-4xc9-xhrj-v574

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

fixed_packages

url pkg:gem/lodash-rails@4.17.11

purl pkg:gem/lodash-rails@4.17.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.11

aliases CVE-2018-16487, GHSA-4xc9-xhrj-v574

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r83z-aktw-sbav

url VCID-xvf6-pgw4-nuhu

vulnerability_id VCID-xvf6-pgw4-nuhu

summary

Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled
Resource Consumption. The impact is: Denial of service. The
component is: Date handler. The attack vector is: Attacker
provides very long strings, which the library attempts
to match using a regular expression.

The fixed version is: 4.7.11.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-1010266

reference_id

reference_type

scores

value	0.00207
scoring_system	epss
scoring_elements	0.43092
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-1010266

reference_url

https://github.com/advisories/GHSA-x5rq-j2xg-h7qm

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-x5rq-j2xg-h7qm

reference_url

https://github.com/github/advisory-database/pull/6138

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/6138

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347

reference_url

https://github.com/lodash/lodash/issues/3359

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/3359

reference_url

https://github.com/lodash/lodash/wiki/Changelog

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/wiki/Changelog

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-73639

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-73639

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1743096
reference_id	1743096
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1743096

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-1010266

reference_id

CVE-2019-1010266

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-1010266

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml

reference_id

CVE-2019-1010266.YML

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url pkg:gem/lodash-rails@4.17.11

purl pkg:gem/lodash-rails@4.17.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.11

aliases CVE-2019-1010266, GHSA-x5rq-j2xg-h7qm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xvf6-pgw4-nuhu

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.11

Package Instance