CVE-2020-28500: Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

medium5.3CVSS 3.1

AVNACLPRNUINSUCNINAL

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

44 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	node-lodash	< node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bookworm)	node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bookworm)
lodash	lodash	< 4.17.21	4.17.21
lodash	lodash	—	—
lodash	lodash	>= 4.0.0 < 4.17.21	4.17.21
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	communications_cloud_native_core_policy	—	—
oracle	communications_design_studio	—	—
oracle	communications_services_gatekeeper	—	—
oracle	communications_session_border_controller	—	—
oracle	communications_session_border_controller	—	—
oracle	enterprise_communications_broker	—	—

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

osv5.3MEDIUM