CVEFinder.io

CVE-2019-1010266

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

CVSS Score
6.5
Medium
EPSS Score
0.2
Exploit Probability
Published Date
2019-07-17
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.9% of all 317,883 vulnerabilities in our database.

#165,618
Below average severity
Severity Percentile
Last Modified 2024-11-21
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-400 CWE-770

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
lodash lodash Affected
< 4.17.11

πŸ”— References 4

https://github.com/lodash/lodash/issues/3359
Issue Tracking Third Party Advisory
https://github.com/lodash/lodash/wiki/Changelog
Release Notes Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0...
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-73639
Exploit Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-13465 πŸ”Ά medium 5.3 0.0 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An at... 2026-01-21
CVE-2020-28500 πŸ”Ά medium 5.3 0.3 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim a... 2021-02-15
CVE-2021-23337 ⚠️ high 7.2 0.7 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. 2021-02-15
CVE-2020-8203 ⚠️ high 7.4 2.6 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. 2020-07-15
CVE-2019-10744 β›” critical 9.1 2.4 Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked ... 2019-07-26
CVE-2018-16487 πŸ”Ά medium 5.6 0.4 A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep ... 2019-02-01
These CVEs affect the same products