Denial of Service Vulnerability in Lodash JavaScript Library
CVE-2019-1010266

6.5MEDIUM

Key Information:

Vendor

Lodash

Status
Lodash
Vendor
CVE Published:
17 July 2019

What is CVE-2019-1010266?

The Lodash JavaScript library versions prior to 4.17.11 contain a vulnerability that can lead to Denial of Service due to uncontrolled resource consumption. Attackers can exploit this vulnerability by inputting excessively long strings, which the library attempts to process using regular expressions. This may result in significant resource utilization, affecting the performance and availability of applications relying on the affected versions of Lodash. It is essential for developers to upgrade to version 4.17.11 or later to mitigate this risk.

Affected Version(s)

lodash <4.17.11 [fixed: 4.7.11]

References

https://snyk.io/vuln/SNYK-JS-LODASH-73639
x_refsource_MISC
https://github.com/lodash/lodash/issues/3359
x_refsource_MISC
https://github.com/lodash/lodash/wiki/Changelog
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.