Regular Expression Denial of Service (ReDoS) in lodash · CVE-2019-1010266 · GitHub Advisory Database · GitHub

Regular Expression Denial of Service (ReDoS) in lodash

Moderate severity GitHub Reviewed Published Jul 19, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

lodash (npm)

Affected versions

< 4.17.11

Patched versions

4.17.11

lodash-amd (npm)

< 4.17.11

4.17.11

lodash-es (npm)

< 4.17.11

4.17.11

Description

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

References

Reviewed Jul 19, 2019

Published to the GitHub Advisory Database Jul 19, 2019

Last updated Jan 9, 2023