CVE-2020-28500

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.17.21

Description The issue is related to the toNumber, trim, and trimEnd functions in the lodash library, which can lead to an uncontrolled consumption of resources, potentially causing a denial of service. This can be exploited by a remote attacker. The vulnerability is a Regular Expression Denial of Service (ReDoS) issue.

Recommendations For versions prior to 4.17.21, update to version 4.17.21 or later to resolve the issue. As a temporary workaround, consider disabling the toNumber, trim, and trimEnd functions until a patch is available. Restrict the use of these functions to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-1333

Related Identifiers

AZL-44085

BDU:2021-02880

CVE-2020-28500

GHSA-29MW-WPGM-HMR9

RHSA-2021:2179

RHSA-2021:3459

SNYK-JAVA-ORGFUJIONWEBJARS-1074896

SNYK-JAVA-ORGWEBJARS-1074894

SNYK-JAVA-ORGWEBJARSBOWER-1074892

SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

SNYK-JAVA-ORGWEBJARSNPM-1074893

SNYK-JS-LODASH-1018905

Affected Products

Lodash

CVE-2020-28500

Weakness Enumeration

Related Identifiers

Affected Products

References · 34