Skip to content

[GHSA-29mw-wpgm-hmr9] Regular Expression Denial of Service (ReDoS) in lodash#6139

Merged
advisory-database[bot] merged 1 commit intolevpachmanov/advisory-improvement-6139from
levpachmanov-GHSA-29mw-wpgm-hmr9
Sep 29, 2025
Merged

[GHSA-29mw-wpgm-hmr9] Regular Expression Denial of Service (ReDoS) in lodash#6139
advisory-database[bot] merged 1 commit intolevpachmanov/advisory-improvement-6139from
levpachmanov-GHSA-29mw-wpgm-hmr9

Conversation

@levpachmanov
Copy link
Copy Markdown

@levpachmanov levpachmanov commented Sep 15, 2025

Updates

  • Affected products

Comments
I took the unittest which were added in lodash/lodash@c4847eb, wrote them as a single file, and ran on 3.10.1 and 4.0.0:

const _ = require('lodash');

console.log('lodash version:', _.VERSION);
const funcs1 = ['toFinite', 'toInteger', 'toNumber', 'toSafeInteger'];

var largeStrLen = 50000;
var largeStr = '1' + Array(largeStrLen + 1).join(' ') + '1';
var maxMs = 1000;

for (var i = 0; i < funcs1.length; i++) {
    var methodName = funcs1[i];
    if (Object.prototype.hasOwnProperty.call(_, methodName)) {
        var startTime = _.now();
        var result = _[methodName](largeStr);
        if (methodName === 'toNumber' ? !isNaN(result) : result !== 0) {
            console.log(methodName, 'ERROR', result);
            continue;
        }
        var endTime = _.now();
        var timeSpent = endTime - startTime;
        if (timeSpent > maxMs) {
            console.log('VULNERABLE', methodName, 'time spent:', timeSpent, 'ms');
        } else {
            console.log(methodName, 'time spent:', timeSpent, 'ms');
        }
    } else {
        console.log(methodName, 'NOT FOUND');
    }
}

const funcs2 = ['trim', 'trimStart', 'trimEnd'];

var largeStr = 'A' + Array(largeStrLen + 1).join(' ') + 'A';
for (var i = 0; i < funcs2.length; i++) {
    var methodName = funcs2[i];
    if (Object.prototype.hasOwnProperty.call(_, methodName)) {
        var startTime = _.now();
        var result = _[methodName](largeStr);
        if (result !== largeStr) {
            console.log('ERROR');
        }
        var endTime = _.now();
        var timeSpent = endTime - startTime;
        if (timeSpent > maxMs) {
            console.log('VULNERABLE', methodName, 'time spent:', timeSpent, 'ms');
        } else {
            console.log(methodName, 'time spent:', timeSpent, 'ms');
        }
    } else {
        console.log(methodName, 'NOT FOUND');
    }
}

output for 3.10.1:

lodash version: 3.10.0
toFinite NOT FOUND
toInteger NOT FOUND
toNumber NOT FOUND
toSafeInteger NOT FOUND
trim time spent: 0 ms
trimStart NOT FOUND
trimEnd NOT FOUND

output for 4.0.0:

toFinite NOT FOUND
VULNERABLE toInteger time spent: 1166 ms
VULNERABLE toNumber time spent: 1360 ms
VULNERABLE toSafeInteger time spent: 1197 ms
VULNERABLE trim time spent: 1187 ms
trimStart time spent: 0 ms
VULNERABLE trimEnd time spent: 1198 ms

@github-actions github-actions bot changed the base branch from main to levpachmanov/advisory-improvement-6139 September 15, 2025 14:24
@helixplant
Copy link
Copy Markdown

helixplant commented Sep 19, 2025

Hi @levpachmanov, we are in the process of reviewing this information and will follow up when we have more on the matter. This applies to #6138 as well. Thank you for your patience!

@levpachmanov
Copy link
Copy Markdown
Author

levpachmanov commented Sep 28, 2025

Hi @helixplant, anything I can do to help get this one and #6318 processed?

@helixplant
Copy link
Copy Markdown

helixplant commented Sep 29, 2025

Hi @levpachmanov,
Thank you for your patience. After our review, we observed noticeable differences that suggest introducing a lower bound of 4.0.0 for GHSA-29mw-wpgm-hmr9 would be reasonable. Thank you for your contribution.

@advisory-database advisory-database bot merged commit d8edc60 into levpachmanov/advisory-improvement-6139 Sep 29, 2025
4 checks passed
@advisory-database
Copy link
Copy Markdown
Contributor

advisory-database bot commented Sep 29, 2025

Hi @levpachmanov! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the levpachmanov-GHSA-29mw-wpgm-hmr9 branch September 29, 2025 20:19
westonsteimel added a commit to anchore/vulnerability-match-labels that referenced this pull request Sep 30, 2025
@westonsteimel
update label based on GHSA updates
858ae96 
github/advisory-database#6139 placed a lower
bound on a couple of advisories related to NPM packages which causes
some TP labels to be FPs for older versions of the packages.

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
@westonsteimel westonsteimel mentioned this pull request Sep 30, 2025
Merged
westonsteimel added a commit to anchore/vulnerability-match-labels that referenced this pull request Sep 30, 2025
@westonsteimel
update label based on GHSA updates (#160)
6d1e728 
github/advisory-database#6139 placed a lower
bound on a couple of advisories related to NPM packages which causes
some TP labels to be FPs for older versions of the packages.

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Keep

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@levpachmanov @helixplant