Critical Flaws Found in Widely Used Lodash Library
TL;DR: The popular JavaScript library Lodash has multiple high-severity vulnerabilities, including one that could let an attacker modify application behavior. The flaws affect several long-term support versions of Ubuntu, putting many web applications at risk.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- Ubuntu Security Notices
Full summary
Multiple high-severity vulnerabilities have been discovered in Lodash, a widely used JavaScript library, affecting several long-term support versions of Ubuntu.
Ubuntu has released a security advisory for Lodash, an extremely popular JavaScript utility library used by millions of developers. The notice details several high-severity vulnerabilities affecting applications running on Ubuntu 18.04 LTS and 20.04 LTS, two widely deployed server operating systems. One of the most critical issues is a prototype pollution flaw in the `zipObjectDeep` function (CVE-2020-8203). In simple terms, this could allow a remote attacker to inject properties into core JavaScript objects, modifying the fundamental structure of an application's code at runtime. This can lead to unpredictable behavior, bypass security controls, or even open the door for further exploitation. Additionally, the advisory highlights a regular expression denial of service (ReDoS) vulnerability in the `toNumber`, `trim`, and `trimEnd` functions. A specially crafted input to these common functions could cause an application to become completely unresponsive or crash by getting stuck in a resource-intensive computation.
The potential impact of these vulnerabilities is significant due to Lodash's immense popularity and deep integration into the software supply chain. It is a core dependency in millions of open-source projects and countless private applications, making it a foundational part of the modern web development ecosystem. Any organization running Node.js backends or complex front-end applications on the affected Ubuntu Long-Term Support versions is potentially at risk. For developers and security teams, this advisory is a direct call to action. Failing to patch the library could leave production systems exposed to attacks that tamper with application logic or cause disruptive service outages. CTOs and IT leaders should treat this as a serious supply chain risk, as a flaw in a single, common dependency can create a widespread security problem across their entire software portfolio, affecting both internal and customer-facing services.
⚡ Action needed
Update the Lodash package on affected systems to the patched version provided by Ubuntu. Review all project dependencies to ensure every instance of Lodash is updated.
Action checklist
- 1Identify all systems running Ubuntu 18.04 LTS and 20.04 LTS.
- 2Scan your projects' dependencies to find all instances of the Lodash library.
- 3Run `sudo apt-get update && sudo apt-get install --only-upgrade libjs-lodash` on affected servers.
- 4Verify that your applications function correctly after the update.
- 5Implement automated dependency scanning tools to catch future vulnerabilities.
Related on Notifire
Primary source: Ubuntu Security Notices