Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49732 closed defect (bug) (invalid)

lodash 4.17.15 The lodash package is vulnerable to Prototype Pollution.

Reported by: tlterry's profile tlterry Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: Cc:


Hi WordPress,

I am having the following issue. Can you please have a look issue how do we resolve it? Thank you.

The lodash package is vulnerable to Prototype Pollution. The template function in lodash.js, template.js, and lodash.min.js does not account for unicode newline characters when filtering the sourceURL property of the options object. Because of how the options object is used, an attacker who can control the source URL can leverage this to alter properties on the prototype chain, which can cause other sections of code to behave in an arbitrary and malicious way.

Please note that this vulnerability is due to an incomplete fix in sonatype-2019-0500.

The application is vulnerable by using this component.

There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.

lodash-4.17.15.tgzMETA-INF/resources/webjars/lodash/4.17.15/template.js[4.17.13, )

Change History (3)

#1 @tlterry
4 years ago

Both related files located at file path below.

lodash.js located at /wp-includes/js/dist/vendor
lodash.min.js located at /wp-includes/js/dist/vendor

#2 @SergeyBiryukov
4 years ago

  • Component changed from General to External Libraries

#3 @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

4.17.15 is the current version of lodash, so it doesn't look like there are any actionable items for WordPress core here. When a new version is released, it will be updated as part of #49707.

For any potential security issues in WordPress core, as already noted in comment:1:ticket:49735, please follow Reporting Security Vulnerabilities. Trac is not the correct place for these reports.

Last edited 4 years ago by SergeyBiryukov (previous) (diff)
Note: See TracTickets for help on using tickets.