Regular Expression Denial of Service (ReDoS) in lodash
Lodash versions prior to 4.17.21 is vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Advisories for Npm/Lodash-Es package
2022
2021
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 is vulnerable to Command Injection via the template function.
2020
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
2019
Allocation of Resources Without Limits or Throttling
lodash prior to 4.17.11 is affected by CWE-400 Uncontrolled Resource Consumption. The impact is a Denial of service. The component is the Date handler. The attack vector is an Attacker provides very long strings, which the library attempts to match using a regular expression.
Prototype Pollution in lodash
Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.