fix(deps): update dependency underscore to ~1.13.0 [security]#358
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency underscore to ~1.13.0 [security]#358renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
September 18, 2023 07:59
f51adf5 to
b277634
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
September 25, 2023 10:07
f83832f to
dd4835e
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
October 18, 2023 07:28
dd4835e to
c36893b
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
November 8, 2023 13:25
c36893b to
d2bec8a
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
November 20, 2023 11:26
d9be4f0 to
00c56ae
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
December 4, 2023 09:23
9501556 to
d30518e
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
December 18, 2023 09:39
4400898 to
8538593
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
5 times, most recently
from
January 15, 2024 11:28
aae56ed to
6f937ca
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
January 22, 2024 10:35
6f937ca to
a0512ff
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
February 5, 2024 09:31
a0512ff to
37f6866
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
February 12, 2024 10:18
37f6866 to
704ac98
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
February 26, 2024 09:07
9b5ea19 to
7d8f9f0
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
March 11, 2024 08:29
c8be84b to
12b8b72
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
March 18, 2024 10:58
6a016bf to
95062d5
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
March 25, 2024 12:03
95062d5 to
be113a8
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
4 times, most recently
from
May 27, 2024 09:44
1220a1f to
2267252
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
June 3, 2024 07:04
2267252 to
69a230e
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
7 times, most recently
from
June 20, 2024 19:45
721ad75 to
f0c9e17
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
July 15, 2024 04:40
5ab7b16 to
4510ec0
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
July 15, 2024 07:33
4510ec0 to
04e0f55
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
August 19, 2024 04:13
4c225dc to
b25c1f0
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
from
August 31, 2024 06:55
b25c1f0 to
107413f
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
3 times, most recently
from
September 23, 2024 14:24
b22c908 to
99851de
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
4 times, most recently
from
October 7, 2024 09:06
25b3a26 to
a6a25df
Compare
renovate
Bot
force-pushed
the
renovate/npm-underscore-vulnerability
branch
2 times, most recently
from
October 7, 2024 15:28
6d68354 to
245e388
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~1.8.3→~1.13.0Arbitrary Code Execution in underscore
CVE-2021-23358 / GHSA-cf4h-3jhx-xvhq
More information
Details
The package
underscorefrom 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
CVE-2026-27601 / GHSA-qpx9-hpmf-5gmw
More information
Details
Impact
In simple words, some programs that use
_.flattenor_.isEqualcould be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows.In affected versions of Underscore, the
_.flattenand_.isEqualfunctions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow.A proof of concept (PoC) for this type of attack with
_.isEqual:A proof of concept (PoC) for this type of attack with
_.flatten:An application that crashes because of this can be restarted, so the bug is most relevant to applications for which continued operation is important, such as server applications. Furthermore, an application is only vulnerable to this type of attack if ALL of the following conditions are met:
JSON.parse, with no enforced depth limit._.flattenor_.isEqual._.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to_.flatten._.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using_.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared._.flattenor_.isEqual, as a result of a stack overflow, are not being caught.All versions of Underscore up to and including 1.13.7 are affected by this weakness.
Patches
The problem has been patched in version 1.13.8. Upgrading to 1.13.8 or later completely prevents exploitation.
Note: historically, there have been breaking changes in minor releases of Underscore, especially between versions 1.6 and 1.9. However, upgrading from version 1.9 or later to any later 1.x version should be feasible with little or no effort for all users.
Workarounds
A workaround that works for both functions is to enforce a depth limit on the datastructure that is created from untrusted input. A limit of 1000 levels should prevent attacks from being successful on most systems. In systems with highly constrained hardware, we recommend lower limits, for example 100 levels.
Another possible workaround that only works for
_.flatten, is to pass a second argument that limits the flattening depth to 1000 or less.References
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
jashkenas/underscore (underscore)
v1.13.8Compare Source
v1.13.7Compare Source
v1.13.6Compare Source
v1.13.5Compare Source
v1.13.4Compare Source
v1.13.3Compare Source
v1.13.2Compare Source
v1.13.1Compare Source
v1.13.0Compare Source
v1.12.1Compare Source
v1.12.0Compare Source
v1.11.0Compare Source
v1.10.2Compare Source
v1.10.1Compare Source
v1.10.0Compare Source
v1.9.2Compare Source
v1.9.1Compare Source
v1.9.0Compare Source
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.