Description
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Recommendation
Update the lodash package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 4.17.21
- Patched version(s): 4.17.21
References
- GHSA-29mw-wpgm-hmr9
- snyk.io
- www.oracle.com
- cert-portal.siemens.com
- security.netapp.com
- CVE-2020-28500
- CWE-1333
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266
- Tags:
- npm
- lodash
Anything's wrong? Let us know Last updated on September 29, 2025