Description
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Recommendation
Update the lodash package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 4.17.21
- Patched version(s): 4.17.21
References
- GHSA-29mw-wpgm-hmr9
- snyk.io
- www.oracle.com
- cert-portal.siemens.com
- security.netapp.com
- CVE-2020-28500
- CWE-1333
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- Command Injection in lodash - CVE-2021-23337
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
- Tags:
- npm
- lodash
Anything's wrong? Let us know Last updated on September 29, 2025