MORPH
SIGN IN SIGN UP
morphadmin / lodash-bench

A modern JavaScript utility library delivering modularity, performance, & extras.

0 0 2 JavaScript

[Security] High severity findings summary #2

open bhaktateas opened this issue · 0 comments
bhaktateas bhaktateas commented

High Severity Security Findings — lodash-bench (branch: main)

This issue consolidates all High-severity findings identified during the automated security audit.

Finding H-1: Vulnerable devDependency — lodash@4.17.20 (known prototype pollution CVE)

File: package.json
Line: 41 ("lodash": "4.17.20")

The project pins the lodash devDependency to version 4.17.20, which is affected by:

  • CVE-2021-23337 — Command injection via _.template (CVSS 7.2)
  • CVE-2020-28500 — ReDoS in _.trim, _.trimStart, _.trimEnd (CVSS 5.3)
  • GHSA-xxjr-mmjv-4gpg — Prototype pollution via _.unset() path traversal

The main library (lodash.js) itself is patched to version 4.17.23, but the devDependency used by build scripts is still 4.17.20.

Recommendation: Upgrade the lodash devDependency to >=4.17.21 (preferably latest stable):

"lodash": "^4.17.21"

Finding H-2: Vulnerable devDependency — uglify-js@2.7.5 (known CVE)

File: package.json
Line: 53 ("uglify-js": "2.7.5")

uglify-js versions before 3.13.2 are affected by:

  • CVE-2015-8857 — ReDoS in uglify-js (affected versions <2.6.0 — partially overlapping)
  • Snyk SNYK-JS-UGLIFYJS-72352 — Uninitialized memory exposure / asm.js miscompilation

Recommendation: Upgrade to uglify-js >= 3.17.0 or later:

"uglify-js": "^3.17.0"

Finding H-3: Vulnerable devDependency — webpack@^1.14.0 (very old, multiple CVEs)

File: package.json
Line: 55 ("webpack": "^1.14.0")

Webpack 1.x has been end-of-life since ~2017 and has no security support. Multiple vulnerabilities exist in its dependency tree, and the version range ^1.14.0 will resolve to the newest 1.x release which still lacks security fixes present in webpack 4/5.

Recommendation: Upgrade to webpack >= 5.x.

Finding H-4: Custom baseUnset prototype-pollution guard has flawed logic

File: lodash.js
Lines: 4368–4418

The custom baseUnset implementation includes a hand-rolled prototype pollution guard that diverges from the upstream official lodash fix. It has a non-standard bypass condition:

// Allow ONLY when the path starts at a primitive root
if (isRootPrimitive && index === 0) {
  continue;   // skips the block WITHOUT returning false
}
return false;

The isRootPrimitive bypass (line 4381–4408) allows constructor.prototype to be traversed when object is null or a non-object primitive at path index 0, then continues iterating the rest of the path. This logic was not present in the official CVE fix and may re-introduce prototype pollution under edge cases.

The official fix in lodash 4.17.21 (GHSA-xxjr-mmjv-4gpg) simply blocks __proto__ and constructor.prototype paths unconditionally in baseSet/baseUnset.

Recommendation:

  1. Replace the custom baseUnset guard with the exact code from the upstream 4.17.21+ tag.
  2. Add unit tests specifically targeting _.unset(obj, '__proto__.polluted') and _.unset(obj, 'constructor.prototype.polluted').

Finding H-5: Committed dist/lodash.js — supply chain / tampering risk

File: dist/lodash.js

The minified/built distribution artifact is committed directly to version control. This is a supply chain security risk: if an attacker gains write access (compromised contributor account, branch protection bypass, CI secret leak), they can push a malicious dist/lodash.js that differs from the source lodash.js without triggering obvious code review diffs.

Recommendation:

  1. Add dist/ to .gitignore and generate it in CI.
  2. Add a CI step that rebuilds dist/ and fails if the output differs from what is committed (integrity check).
  3. Publish checksums (SHA-256) for release artifacts.

Summary Table

ID Severity Category File Line Description
H-1 High Dependency CVE package.json 41 lodash@4.17.20 devDep with known prototype pollution + RCE CVEs
H-2 High Dependency CVE package.json 53 uglify-js@2.7.5 with known CVEs
H-3 High Dependency EOL package.json 55 webpack@^1.14.0 is EOL with no security support
H-4 High Code Vulnerability lodash.js 4368–4418 Flawed custom prototype-pollution guard in baseUnset
H-5 High Supply Chain dist/lodash.js Committed build artifact enables silent tampering
ADD COMMENT