Moderate severityNVD Advisory· Published Jul 17, 2019· Updated Aug 5, 2024
CVE-2019-1010266
CVE-2019-1010266
Description
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | >= 4.7.0, < 4.17.11 | 4.17.11 |
lodash-esnpm | >= 4.7.0, < 4.17.11 | 4.17.11 |
lodash-amdnpm | >= 4.7.0, < 4.17.11 | 4.17.11 |
lodash-railsRubyGems | >= 4.7.0, < 4.17.11 | 4.17.11 |
Affected products
1Patches
12 files changed · +17 −1
lodash.js+1 −1 modified@@ -276,7 +276,7 @@ var reHasUnicode = RegExp('[' + rsZWJ + rsAstralRange + rsComboRange + rsVarRange + ']'); /** Used to detect strings that need a more robust regexp to match words. */ - var reHasUnicodeWord = /[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/; + var reHasUnicodeWord = /[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/; /** Used to assign default `context` object properties. */ var contextProps = [
test/test.js+16 −0 modified@@ -25358,6 +25358,22 @@ assert.deepEqual(actual, [['a'], ['b'], ['c']]); }); + + var maxMs = 5; + QUnit.test(`should take less than ${maxMs} ms to prevent ReDoS`, function(assert) { + assert.expect(3); + + var hugeWordLen = 50000; + var hugeWord = 'A'.repeat(hugeWordLen); + var startTime = Date.now(); + assert.deepEqual(_.words(hugeWord+'AeiouAreVowels'), [hugeWord, 'Aeiou', 'Are', 'Vowels']); + assert.deepEqual(_.words(hugeWord+'ÆiouAreVowels'), [hugeWord, 'Æiou', 'Are', 'Vowels']); + var endTime = Date.now(); + var timeSpent = endTime - startTime; + + assert.ok(timeSpent < maxMs, `operation took ${timeSpent} ms`); + }); + }()); /*--------------------------------------------------------------------------*/
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-x5rq-j2xg-h7qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1010266ghsaADVISORY
- github.com/github/advisory-database/pull/6138ghsaWEB
- github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347ghsaWEB
- github.com/lodash/lodash/issues/3359ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.ymlghsaWEB
- security.netapp.com/advisory/ntap-20190919-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190919-0004/mitrex_refsource_CONFIRM
- snyk.io/vuln/SNYK-JS-LODASH-73639ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.