Lodash, a popular JavaScript utility library, saw a significant update between version 2.4.2 and 3.0.0. While both versions are licensed under MIT and maintain the same author and repository, version 3.0.0 marks a shift towards a more modular approach. This means developers can now import specific Lodash functions as needed, reducing the overall bundle size of their applications compared to including the entire library as in version 2.4.2, where modularity wasn't as emphasized.
The core description also highlights this change, with 3.0.0 being explicitly described as "the modern build of lodash modular utilities". This is a key improvement for performance-conscious developers. Notably, despite being released earlier, version 2.4.2 has a later releaseDate than 3.0.0, showcasing an anomaly related to publication times. The repository URL in 2.4.2 includes the .git extension, which is absent in version 3.0.0, pointing to a small difference in how the repository URL was formatted in the package metadata. Choosing between the two depends on project needs; if bundle size and need to only import certain utilities is important, version 3.0.0 and above should be considered. If the project already implemented version 2.4.2 there are no immediate security concerns that require immediate update.
All the vulnerabilities related to the version 3.0.0 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.