CVE-2019-1010266
MEDIUMlodash < 4.17.11 - Denial of Service via Date Handler Regular Expression
Title source: llmDescription
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-LODASH-73639
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/lodash/lodash/issues/3359
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/lodash/lodash/wiki/Changelog
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190919-0004/
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
43.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
CWE-400
Status
published
Products (5)
lodash/lodash
< 4.17.11
npm/lodash
4.7.0 - 4.17.11npm
npm/lodash-amd
4.7.0 - 4.17.11npm
npm/lodash-es
4.7.0 - 4.17.11npm
rubygems/lodash-rails
4.7.0 - 4.17.11RubyGems
Published
Jul 17, 2019
Tracked Since
Feb 18, 2026