CVE-2019-1010266
lodash: uncontrolled resource consumption in Data handler causing denial of service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
lodash anterior a versión 4.17.11, está afectado por: CWE-400: Consumo de Recursos No Controlado. El impacto es: Denegación de servicio. El componente es: Manejador de Fecha. El vector de ataque es: el atacante proporciona cadenas muy largas, que la biblioteca intenta hacer coincidir mediante una expresión regular. La versión corregida es: 4.17.11.
Quay 3.6.0 release. Issues addressed include buffer over-read, buffer overflow, denial of service, out of bounds read, and spoofing vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-08-31 First Exploit
- 2019-03-20 CVE Reserved
- 2019-07-17 CVE Published
- 2024-08-05 CVE Updated
- 2025-04-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/lodash/lodash/issues/3359 | Issue Tracking | |
| https://github.com/lodash/lodash/wiki/Changelog | Release Notes | |
| https://security.netapp.com/advisory/ntap-20190919-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ossf-cve-benchmark/CVE-2019-1010266 | 2018-08-31 | |
| https://snyk.io/vuln/SNYK-JS-LODASH-73639 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-1010266 | 2021-10-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1743096 | 2021-10-19 |