[Apiiro] SCA OSS Vulnerabilities - Critical CVSS score · Critical Risk

[urikalma]

Discovered on: Nov 14, 2024 10:01

Dependency: lodash
Version: 2.4.2
Type: Sub dependency
Introduced through:

• sanitize-html: 1.4.2 > lodash: 2.4.2

Vulnerabilities

• Prototype Pollution in lodash with CVSS score 9.1. fixed version: 4.17.12
• Prototype Pollution in lodash with CVSS score 6.5. fixed version: 4.17.5
• Regular Expression Denial of Service (ReDoS) in lodash with CVSS score 5.3. fixed version: 4.17.21
• Command Injection in lodash with CVSS score 7.2. fixed version: 4.17.21
• Regular Expression Denial of Service (ReDoS) in lodash with CVSS score 6.5. fixed version: 4.17.11
• Prototype Pollution in lodash with CVSS score 5.6. fixed version: 4.17.11

About this package:

External dependency: lodash - https://www.npmjs.com/package/lodash
Package details: Lodash modular utilities.
Latest version: 4.17.21
License: MIT
Insights:

• Adequate maintainer count - This package is maintained by at least 3 developers
• Popularity - This package has many weekly downloads and high popularity scores
• Sparse commits - New code commits don't happen frequently for this package
• Under tested - Best practices in testing are not being followed for this package
• Has vulnerabilities - One or more vulnerabilities have been reported for this package
• Used in code - This package is introduced directly and through top level dependencies which are imported in the code:
  • Direct import of sub-dependency - used in code in: routes/chatbot.ts
  • sanitize-html - used in code in: lib/challengeUtils.ts And 1 more.

Remediation

lodash is a sub-dependency referenced by the following top-level dependencies:

• sanitize-html declared in package.json
  Upgrade these top-level dependencies to a version that uses lodash with version 4.17.21
  View in Apiiro