CVE-2020-28500
Regular Expression Denial of Service vulnerability in lodash

Regular Expression Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2020-28500 About?

All versions of the 'lodash' package prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) through its 'toNumber', 'trim', and 'trimEnd' functions. Attackers can cause a denial of service by providing specific crafted input strings that trigger catastrophic backtracking in the backend regex. This is a common and relatively easy-to-exploit vulnerability if these functions process untrusted input.

Affected Software

  • lodash
    • >4.0.0, <4.17.21
  • lodash-es
    • >4.0.0, <4.17.21
  • lodash.trimend
    • >4.0.0, <=4.5.1
  • lodash.trim
    • >4.0.0, <=4.5.1
  • lodash-rails
    • >4.0.0, <4.17.21

Technical Details

The vulnerability in 'lodash' versions prior to 4.17.21 resides within the regular expressions employed by the 'toNumber', 'trim', and 'trimEnd' functions. These regular expressions are constructed in a way that allows for catastrophic backtracking when processing particular malicious input strings. When a user-supplied string, especially one with a high number of repeated characters (like spaces), is passed to these functions, the regex engine enters an inefficient computation loop. This exponential increase in processing time consumes significant CPU resources, leading to an application slowdown or complete unresponsiveness, effectively causing a Denial of Service. The provided example demonstrates this by building a string of 50000 spaces that causes a noticeable delay in processing time for these functions.

What is the Impact of CVE-2020-28500?

Successful exploitation may allow attackers to degrade system performance or cause the application to become unresponsive, leading to denial of service for legitimate users.

What is the Exploitability of CVE-2020-28500?

Exploitation is straightforward, requiring the attacker to supply a specially crafted, long input string (e.g., a large number of spaces) to any application function that internally uses 'lodash.toNumber', 'lodash.trim', or 'lodash.trimEnd' on user-controlled data. There are no complex prerequisites other than identifying such an input point. Authentication is typically not required if these functions process unauthenticated user input, but could be if the input channel requires authentication. Privilege requirements are minimal; the attack targets the regex engine's performance, not system privileges. This is a remote exploit if the input is processed by a network-accessible service. The likelihood of exploitation is significantly increased whenever these vulnerable 'lodash' functions are used to process unsanitized user-generated or external data.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-28500?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch replaces the use of inefficient regular expressions for trimming whitespace in string handling functions with a more performant method that avoids catastrophic backtracking, which could be exploited for Regular Expression Denial of Service (ReDoS) attacks. This fix for CVE-2020-28500 ensures that trimming operations on very large or crafted input strings execute in predictable time, eliminating the potential for an attacker to cause excessive CPU consumption and denial of service.

Available Upgrade Options

  • lodash-es
    • >4.0.0, <4.17.21 → Upgrade to 4.17.21
  • lodash-rails
    • >4.0.0, <4.17.21 → Upgrade to 4.17.21
  • lodash
    • >4.0.0, <4.17.21 → Upgrade to 4.17.21

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-28500?

Similar Vulnerabilities: CVE-2020-7661 , CVE-2020-26308 , CVE-2019-10756 , CVE-2018-16460 , CVE-2017-16016

All Rights reserved 2025
Privacy Policy