Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Lodash Vulnerability

See original GitHub issue

The package.json file in this repo references an insecure version of lodash and should be updated at least to version 4.17.5.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Is there any progress on PR #48?

Issue Analytics

State:
Created 5 years ago
Reactions:23
Comments:5

Top GitHub Comments

2reactions

Dudefulcommented, Dec 13, 2020

Just found out this, for anyone looking for a consistent solution for signing URL in a production reliable way:

https://github.com/jasonsims/aws-cloudfront-sign/pull/52#issuecomment-524302869

1reaction

shaman79commented, Nov 25, 2020

Seriously, this issue is here for two years and no action was taken. The vulnerability is critical, lodash must be updated ASAP.

Top Results From Across the Web

lodash vulnerabilities | Snyk

version published direct vulnerabilities 4.17.21 20 Feb, 2021 0. C. 0. H. 0. M. 0. L 4.17.20 13 Aug, 2020 0. C. 1. H. 1....

Lodash : Security vulnerabilities - CVE Details

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2021‑23337 94 2021‑02‑15 2022‑09‑13 6.5 None 2 CVE‑2020‑28500 DoS 2021‑02‑15 2022‑09‑13...

Lodash: Understanding the recent ... - DEV Community ‍ ‍

Lodash versions prior to 4.17.19 are vulnerable to a Prototype Pollution (CVE-2020-8203). The function zipObjectDeep() allows a malicious user ...

Security Bulletin: Lodash versions prior to 4.17.21 vulnerability ...

DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the ...

Lodash: Understanding the recent vulnerability and how we ...

Lodash versions prior to 4.17.19 are vulnerable to a Prototype Pollution (CVE-2020-8203). The function zipObjectDeep() allows a malicious user to modify the ...