Skip to content

chore(deps): update dependency lodash to v4.18.1 [security]#67

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-lodash-vulnerability
Open

chore(deps): update dependency lodash to v4.18.1 [security]#67
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-lodash-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 25, 2023

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.134.18.1 age confidence

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

  • CVSS Score: 7.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Prototype Pollution in lodash

CVE-2019-10744 / GHSA-jf85-cpcp-j695

More information

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Prototype Pollution in lodash

CVE-2020-8203 / GHSA-p6mc-m468-83gw

More information

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Regular Expression Denial of Service (ReDoS) in lodash

CVE-2020-28500 / GHSA-29mw-wpgm-hmr9

More information

Details

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions

CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg

More information

Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


lodash vulnerable to Code Injection via _.template imports key names

CVE-2026-4800 / GHSA-r5fr-rjxr-66jc

More information

Details

Impact

The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches

Users should upgrade to version 4.18.0.

The fix applies two changes:

  1. Validate importsKeys against the existing reForbiddenIdentifierChars regex (same check already used for the variable option)
  2. Replace assignInWith with assignWith when merging imports, so only own properties are enumerated
Workarounds

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit

CVE-2026-2950 / GHSA-f23m-r3pf-42rh

More information

Details

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

lodash/lodash (lodash)

v4.18.1

Compare Source

v4.18.0

Compare Source

v4.17.23

Compare Source

v4.17.21

Compare Source

v4.17.20

Compare Source

v4.17.19

v4.17.16

Compare Source

v4.17.15

Compare Source

v4.17.14

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Oct 25, 2023

Copy link
Copy Markdown
Author

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.


  • Branch has one or more failed status checks

@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 0db04ff to 77d3145 Compare December 3, 2023 09:39
@renovate renovate Bot changed the title fix(deps): update dependency lodash to v4.17.19 [security] fix(deps): update dependency lodash to v4.17.19 [security] - autoclosed Dec 15, 2023
@renovate renovate Bot closed this Dec 15, 2023
@renovate renovate Bot deleted the renovate/npm-lodash-vulnerability branch December 15, 2023 18:09
@renovate renovate Bot changed the title fix(deps): update dependency lodash to v4.17.19 [security] - autoclosed fix(deps): update dependency lodash to v4.17.19 [security] Dec 15, 2023
@renovate renovate Bot reopened this Dec 15, 2023
@renovate renovate Bot restored the renovate/npm-lodash-vulnerability branch December 15, 2023 22:36
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 77d3145 to 2108ac2 Compare December 15, 2023 22:37
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 2108ac2 to 3f5ddc1 Compare August 6, 2024 10:06
@renovate renovate Bot changed the title fix(deps): update dependency lodash to v4.17.19 [security] fix(deps): update dependency lodash to v4.17.21 [security] Aug 6, 2024
@renovate renovate Bot changed the title fix(deps): update dependency lodash to v4.17.21 [security] chore(deps): update dependency lodash to v4.17.21 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 3f5ddc1 to de82926 Compare November 10, 2025 16:44
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from de82926 to 765e889 Compare November 19, 2025 00:37
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 765e889 to 0bc53db Compare January 24, 2026 08:40
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.21 [security] chore(deps): update dependency lodash to v4.17.23 [security] Jan 24, 2026
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-lodash-vulnerability branch March 27, 2026 01:22
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed chore(deps): update dependency lodash to v4.17.23 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 0bc53db to 24a06da Compare March 30, 2026 17:29
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed Mar 31, 2026
@renovate renovate Bot closed this Mar 31, 2026
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed chore(deps): update dependency lodash to v4.17.23 [security] Apr 1, 2026
@renovate renovate Bot reopened this Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 24a06da to 4264913 Compare April 1, 2026 13:22
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 4264913 to dd12dcf Compare April 9, 2026 15:04
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.18.1 [security] Apr 9, 2026
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.18.1 [security] chore(deps): update dependency lodash to v4.18.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.18.1 [security] - autoclosed chore(deps): update dependency lodash to v4.18.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from dd12dcf to 8361f8a Compare April 27, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants