Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3
- Severity:
- Medium
Description
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 4.0.0, <= 4.5.1
References
- GHSA-29mw-wpgm-hmr9
- snyk.io
- www.oracle.com
- cert-portal.siemens.com
- security.netapp.com
- CVE-2020-28500
- CWE-1333
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 2 - CVE-2020-28500
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2 - CVE-2025-4644
- Pug allows JavaScript code execution if an application accepts untrusted input - CVE-2024-36361
- Tags:
- npm
- lodash.trimend
Anything's wrong? Let us know Last updated on September 29, 2025