Out-of-date Version (Lodash)

32 views
Skip to first unread message

Kiran

unread,
Aug 14, 2025, 3:59:47 PMAug 14
to cBioPortal for Cancer Genomics Discussion Group
Hello there,

We are using the cBioPortal version 6.2.0 and found a captioned vulnerability. Do you have any plans to upgrade Lodash?

Lodash version used: 4.17.11
Lodash latest version: 4.17.21

Please find the vulnerability below.

Thanks,
Kiran
1. Out-of-date Version (Lodash)
CRITICAL
1

Invicti Standard identified that the target web site is using Lodash and detected that it is out of date.

Impact
Since this is an old version of the software, it may be vulnerable to attacks.

Hide Known Vulnerabilities in Out-of-date Version (Lodash)
Lodash Other Vulnerability

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

External ReferencesLodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVSS

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

External ReferencesLodash Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

External ReferencesLodash Other Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

External References

Aaron L

unread,
Sep 8, 2025, 12:05:43 PMSep 8
to Kiran, cBioPortal for Cancer Genomics Discussion Group
Hi Kiran, 

I've upgraded lodash to latest.  Thanks for the heads up.

--Aaron

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cbioportal/3dd142f3-9125-4ced-ad6f-e5a340cb9282n%40googlegroups.com.

Kiran

unread,
Sep 8, 2025, 1:39:52 PMSep 8
to cBioPortal for Cancer Genomics Discussion Group
Thank you, Aaron. I will deploy the pre-release and verify the application soon. thanks
Reply all
Reply to author
Forward
0 new messages