CVE-2020-28500

🔶 medium

Summary

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS Score

5.3

Medium

EPSS Score

0.3

Exploit Probability

Published Date

2021-02-15

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 322,079 vulnerabilities in our database.

#258,215

Below average severity

Severity Percentile

Last Modified 2024-11-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

📦 Affected Products 41

Vendor	Product	Status	Affected Versions
oracle	peoplesoft_enterprise_peopletools	Affected	v8.58
oracle	peoplesoft_enterprise_peopletools	Affected	v8.59
oracle	jd_edwards_enterpriseone_tools	Affected	< 9.2.6.1
oracle	retail_customer_management_and_segmentation_foundation	Affected	v19.0
oracle	communications_services_gatekeeper	Affected	v7.0
oracle	health_sciences_data_management_workbench	Affected	v2.5.2.1
oracle	health_sciences_data_management_workbench	Affected	v3.0.0.0
oracle	primavera_gateway	Affected	≥ 17.12.0 ≤ 17.12.11
oracle	primavera_gateway	Affected	≥ 18.8.0 ≤ 18.8.12
oracle	primavera_gateway	Affected	≥ 19.12.0 ≤ 19.12.11
oracle	primavera_gateway	Affected	≥ 20.12.0 ≤ 20.12.7
oracle	primavera_unifier	Affected	≥ 17.7 ≤ 17.12
oracle	primavera_unifier	Affected	v18.8
oracle	primavera_unifier	Affected	v19.12
oracle	primavera_unifier	Affected	v20.12
oracle	communications_session_border_controller	Affected	v8.4
oracle	communications_session_border_controller	Affected	v9.0
lodash	lodash	Affected	< 4.17.21
oracle	enterprise_communications_broker	Affected	v3.2.0
oracle	enterprise_communications_broker	Affected	v3.3.0
oracle	banking_extensibility_workbench	Affected	v14.2.0
oracle	banking_extensibility_workbench	Affected	v14.3.0
oracle	banking_extensibility_workbench	Affected	v14.5.0
oracle	communications_design_studio	Affected	v7.4.2
oracle	banking_corporate_lending_process_management	Affected	v14.2.0
oracle	banking_corporate_lending_process_management	Affected	v14.3.0
oracle	banking_corporate_lending_process_management	Affected	v14.5.0
oracle	banking_trade_finance_process_management	Affected	v14.2.0
oracle	banking_trade_finance_process_management	Affected	v14.3.0
oracle	banking_trade_finance_process_management	Affected	v14.5.0
oracle	banking_credit_facilities_process_management	Affected	v14.2.0
oracle	banking_credit_facilities_process_management	Affected	v14.3.0
oracle	banking_credit_facilities_process_management	Affected	v14.5.0
oracle	communications_cloud_native_core_policy	Affected	v1.11.0
oracle	banking_supply_chain_finance	Affected	v14.2.0
oracle	banking_supply_chain_finance	Affected	v14.3.0
oracle	banking_supply_chain_finance	Affected	v14.5.0
siemens	sinec_ins	Affected	< 1.0
siemens	sinec_ins	Affected	v1.0
oracle	financial_services_crime_and_compliance_management_studio	Affected	v8.0.8.2.0
oracle	financial_services_crime_and_compliance_management_studio	Affected	v8.0.8.3.0

🔗 References 14

https://cert-portal.siemens.com/productcert/pdf/ssa-...

Patch Third Party Advisory

https://github.com/lodash/lodash/blob/npm/trimEnd.js...

Broken Link

https://github.com/lodash/lodash/pull/5065

Patch Third Party Advisory

https://security.netapp.com/advisory/ntap-20210312-0...

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUB...

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JS-LODASH-1018905

Exploit Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Not Applicable Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch Third Party Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-34307	🔶 medium	5.4	0.0	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported ve...	2026-04-21
CVE-2026-34309	⚠️ high	8.1	0.1	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported ve...	2026-04-21
CVE-2026-2950	🔶 medium	6.5	0.1	Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. ...	2026-03-31
CVE-2026-4800	⚠️ high	8.1	0.0	Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variabl...	2026-03-31
CVE-2025-13465	🔶 medium	5.3	0.0	Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An at...	2026-01-21
CVE-2026-21934	🔶 medium	5.4	0.0	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Su...	2026-01-20

These CVEs affect the same products