Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9)
- Severity:
- Medium
Description
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Recommendation
Update the lodash-es package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 4.17.21
- Patched version(s): 4.17.21
References
- GHSA-29mw-wpgm-hmr9
- snyk.io
- www.oracle.com
- cert-portal.siemens.com
- security.netapp.com
- CVE-2020-28500
- CWE-1333
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) 2 - CVE-2019-1010266
- CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) - CVE-2025-4644
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Tags:
- npm
- lodash-es
Anything's wrong? Let us know Last updated on September 29, 2025