lodash CVE

  • branacleboy

    (@branacleboy)


    6 months, 3 weeks ago

    I recently got a report from my orgs IT team that a couple CVEs were identified in versions of lodash <4.17.21.

    To meet our orgs compliance deadline I had to manually upgrade this plugins lodash script to v4.17.21, in addition to other lodash copies in WordPress core and a other plugins I am using, just saw y’all released an update for 1.14.1 and I expect updating to that version will revert my local change.

    Additionally, in digging around a bit, WordPress core as of 6.2.2 includes lodash 4.17.21 which you could enqueue instead of registering your own copy and avoid the maintenance overhead.
    sauce: https://wordpress.org/support/topic/lodash-vulnerabilities/#post-16936369

    The CVEs in question are:

    Reachable and EPSS > 1%

    Reachable and EPSS < 1%

    • This topic was modified 6 months, 3 weeks ago by branacleboy. Reason: updating for context around wordpress core including an updated version of lodash
Viewing 1 replies (of 1 total)
  • Plugin Author Janis Elsts

    (@whiteshadow)

    6 months, 3 weeks ago

    You’re correct, version 1.14.1 still uses the same old version of Lodash. But this looks like an easy upgrade to make, so the next AME update will switch to Lodash 4.17.21.

Viewing 1 replies (of 1 total)

The topic ‘lodash CVE’ is closed to new replies.