Article
Crypto

Sonatype examines lodash’s open source vulnerabilities

By William Girling
September 30, 2020
undefined mins
In our next article on Sonatype’s Top 5 Open Source Vulnerabilities White Paper, we explore the vulnerabilities of lodash...

In our next article on Sonatype’s Top 5 Open Source Vulnerabilities White Paper, we explore the vulnerabilities of lodash

Ranked in fourth place on Sonatype’s list, lodash is a more modern release than Bouncycastle; it saw its initial release in April 2012 and finally a stable release in August 2020. 

A JavaScript library designed to help programmers write in a clearer, more manageable way, it has provided diverse utility functions (including ‘function’, ‘string’, ‘array’, ‘collection’ and more) across its release history.

“Lodash is a very popular Javascript library used by developers worldwide to simplify and consolidate their code,” said Sonatype in a recent blog post.

“Users of lodash are able to reap the benefits of more elegant code in less time by utilising the robust lodash library. However, what was created as a helpful feature for most, lends itself to an attack vector for bad actors if it isn’t managed properly.”

Attack mechanics and remediation procedure

According to Sonatype’s research, vulnerability CVE-2018-16487 stems from an apparently incomplete repair carried out on version 4.17.5 of lodash (CVE-2018-3721).

Lodash is particularly susceptible to ‘prototype pollution’: because Javascript is primarily a prototyping language, its functionality is geared towards the ability to quickly add new objects and properties.

Cyber attackers can exploit this function by inserting large quantities of incompatible objects in a short time frame, which can cause a DoS (denial of service) or RCE (remote code execution) response. 

To resolve the issue, Sonatype recommends users upgrade to version 4.17.11 of lodash, which contains a dedicated fix for the issue.

“If upgrading is not a viable option, some developers have chosen to protect against this vulnerability by replacing a property entirely (rather than recursively extending it) if the destination object doesn't have that property as its own,” it advises.

Furthermore, the company advises that fixing one of lodash’s properties wouldn’t necessarily guarantee that all others were equally protected. As such, users are advised to tread with caution to ensure the vulnerability is holistically resolved. 

FintechSonatypeLodashOpen source software
Share
Share

Featured Articles

Eric Hussey, Finastra joins FinTech LIVE New York

Eric Hussey, Senior Vice President and Chief Information Security Officer at Finastra to speak at FinTech LIVE New York

Upcoming Events: FinTech LIVE 2024

Discover what’s still to come in 2024 for FinTech LIVE including virtual, in-person events and awards

SAVE THE DATE: FinTech LIVE New York

FinTech LIVE returns this summer with FinTech LIVE New York on 17 June 2024 – The ultimate virtual event for fintech leaders in North America

WE’RE LIVE! FinTech LIVE Dubai

Digital Payments

Amberdata: RWA tokenisation gains significant momentum

Tech & AI

WE’RE LIVE! FinTech LIVE Singapore

Banking