chore(deps): update dependency lodash to v4.17.23 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lodash (source)	4.17.19 → 4.17.23

---

Prototype Pollution in lodash

CVE-2018-3721 / GHSA-fvqr-27wr-82fm

More information

Details

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-3721
• https://hackerone.com/reports/310443
• https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
• https://security.netapp.com/advisory/ntap-20190919-0004
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
• https://github.com/advisories/GHSA-fvqr-27wr-82fm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in lodash

CVE-2019-10744 / GHSA-jf85-cpcp-j695

More information

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

• https://github.com/lodash/lodash/pull/4336
• https://nvd.nist.gov/vuln/detail/CVE-2019-10744
• https://snyk.io/vuln/SNYK-JS-LODASH-450202
• https://access.redhat.com/errata/RHSA-2019:3024
• https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS
• https://security.netapp.com/advisory/ntap-20191004-0005
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml
• https://github.com/advisories/GHSA-jf85-cpcp-j695

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

• CVSS Score: 7.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23337
• https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
• https://snyk.io/vuln/SNYK-JS-LODASH-1040724
• https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
• https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
• https://security.netapp.com/advisory/ntap-20210312-0006
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml
• https://github.com/advisories/GHSA-35jh-r3h4-6jhm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in lodash

CVE-2020-8203 / GHSA-p6mc-m468-83gw

More information

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Severity

• CVSS Score: 7.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

References

• https://github.com/lodash/lodash/issues/4744
• https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
• https://nvd.nist.gov/vuln/detail/CVE-2020-8203
• https://hackerone.com/reports/712065
• https://github.com/lodash/lodash/issues/4874
• https://github.com/github/advisory-database/pull/2884
• https://hackerone.com/reports/864701
• https://github.com/lodash/lodash/wiki/Changelog#v41719
• https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
• https://security.netapp.com/advisory/ntap-20200724-0006
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml
• https://github.com/advisories/GHSA-p6mc-m468-83gw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Regular Expression Denial of Service (ReDoS) in lodash

CVE-2020-28500 / GHSA-29mw-wpgm-hmr9

More information

Details

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-28500
• https://github.com/lodash/lodash/pull/5065
• https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
• https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
• https://snyk.io/vuln/SNYK-JS-LODASH-1018905
• https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
• https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
• https://security.netapp.com/advisory/ntap-20210312-0006
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
• https://github.com/github/advisory-database/pull/6139
• https://github.com/advisories/GHSA-29mw-wpgm-hmr9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions

CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg

More information

Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References

• https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2025-13465
• https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
• https://github.com/advisories/GHSA-xxjr-mmjv-4gpg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

v4.17.21

Compare Source

v4.17.20

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.