Out-of-date Version (Lodash)

24 views
Skip to first unread message

Kiran

unread,
Aug 14, 2025, 3:59:47 PMAug 14
to cBioPortal for Cancer Genomics Discussion Group
Hello there,

We are using the cBioPortal version 6.2.0 and found a captioned vulnerability. Do you have any plans to upgrade Lodash?

Lodash version used: 4.17.11
Lodash latest version: 4.17.21

Please find the vulnerability below.

Thanks,
Kiran
1. Out-of-date Version (Lodash)
CRITICAL
1

Invicti Standard identified that the target web site is using Lodash and detected that it is out of date.

Impact
Since this is an old version of the software, it may be vulnerable to attacks.

Hide Known Vulnerabilities in Out-of-date Version (Lodash)
Lodash Other Vulnerability

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

External ReferencesLodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVSS

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

External ReferencesLodash Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

External ReferencesLodash Other Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

External References
Reply all
Reply to author
Forward
0 new messages