CVE-2019-1010266
Uncontrolled Resource Consumption vulnerability in lodash (npm)
What is CVE-2019-1010266 About?
This Uncontrolled Resource Consumption (CWE-400) vulnerability affects lodash versions prior to 4.7.11, specifically in its date handler. Attackers can trigger a denial of service by providing very long strings that cause the library's regular expression matching to consume excessive resources. Exploitation is remote and relatively easy to trigger.
Affected Software
- lodash
- >4.7.0, <4.17.11
- lodash-es
- >4.7.0, <4.17.11
- lodash-amd
- >4.7.0, <4.17.11
- lodash-rails
- >4.7.0, <4.17.11
Technical Details
The vulnerability in lodash prior to 4.7.11 (CWE-400: Uncontrolled Resource Consumption) resides in the date handler. When the library is processing dates or related string operations that involve regular expressions, it can be susceptible to a Regular Expression Denial of Service (ReDoS) attack. An attacker can supply a very long, specially crafted string that, when processed by certain regular expressions within lodash, causes the regex engine to backtrack excessively. This exponential time complexity leads to a significant increase in processing time and CPU consumption, effectively causing a denial of service condition for the application or server using the vulnerable lodash instance.
What is the Impact of CVE-2019-1010266?
Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service (DoS) for the application or server and impacting availability.
What is the Exploitability of CVE-2019-1010266?
Exploitation is remote and of low to moderate complexity. An attacker needs to provide a large, specially crafted string input to an application that uses a vulnerable version of lodash in a context where date handling (or other regex-sensitive operations) occurs. No authentication is typically required if the input field is publicly accessible. Privilege requirements are low, as the attack targets the processing capacity of the server. The primary condition is that user-supplied input is passed to vulnerable lodash functions without sufficient validation or length restrictions. The likelihood of exploitation increases significantly if the application accepts and processes untrusted, unvalidated string input that can trigger ReDoS patterns.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-1010266?
About the Fix from Resolved Security
This patch corrects the reHasUnicodeWord regular expression by changing [A-Z]{2,}[a-z] to [A-Z]{2}[a-z], preventing catastrophic backtracking on certain crafted input. This addresses CVE-2019-1010266, a Regular Expression Denial of Service (ReDoS) vulnerability, by limiting the pattern's ambiguity and thus ensuring that word splitting in lodash operates in predictable, efficient time even for large or malicious inputs.
Available Upgrade Options
- lodash-es
- >4.7.0, <4.17.11 → Upgrade to 4.17.11
- lodash
- >4.7.0, <4.17.11 → Upgrade to 4.17.11
- lodash-amd
- >4.7.0, <4.17.11 → Upgrade to 4.17.11
- lodash-rails
- >4.7.0, <4.17.11 → Upgrade to 4.17.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/lodash/lodash/wiki/Changelog
- https://github.com/lodash/lodash
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://github.com/lodash/lodash/issues/3359
- https://github.com/github/advisory-database/pull/6138
- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347
- https://security.netapp.com/advisory/ntap-20190919-0004
- https://github.com/lodash/lodash/wiki/Changelog
- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
- https://security.netapp.com/advisory/ntap-20190919-0004/
What are Similar Vulnerabilities to CVE-2019-1010266?
Similar Vulnerabilities: CVE-2021-23437 , CVE-2019-10744 , CVE-2022-31129 , CVE-2022-25875 , CVE-2021-39144
