[GHSA-29mw-wpgm-hmr9] Regular Expression Denial of Service (ReDoS) in lodash

[DmitriyLewen]

Updates

• Affected products

Comments
Hello!
If i understand correctly, lodash team has moved lodash.trim and lodash.trimend packages inside lodash package:
https://github.com/lodash/lodash/tree/npm-packages/lodash.trim => https://github.com/lodash/lodash/blob/npm/trim.js
They have stopped updating of these packages:
https://www.npmjs.com/package/lodash.trim
https://www.npmjs.com/package/lodash.trimend

I checked code and looks like there is no fix for this CVE for these packages:
e.g.:
lodash.trimend still uses string.replace(reTrimEnd, '')(with /\s+$/ value) - https://github.com/lodash/lodash/blob/aaa111912cb05e6f0f9f23d1eb8a41ccfcf9c2c2/lodash.trimend/index.js#L356 (fix of this - https://github.com/lodash/lodash/pull/5065/files#diff-36b7ba0ba252cc39fa5921d9484b7674c8bc7af119636ba7f46194ee871047b6R15046).

I could be wrong. Can you take a look and correct me/update this advisory.

Thank you in advance!
Best Regards, Dmitriy

[CallmeMari]

Hi @DmitriyLewen, we appreciate your contribution to the GitHub Advisory Database. Just to confirm we are reviewing the fix to the correct CVE can you please specify which CVE you are referring to? It would be helpful to include any references that validate your proposed change :)

[DmitriyLewen]

I said about CVE-2020-28500 (GHSA-29mw-wpgm-hmr9)

[advisory-database]

Hi @DmitriyLewen! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!