Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

It's only downloaded 26.5m times a week, NBD


A lingering vulnerability in lodash, a popular JavaScript helper library distributed through package manager npm, has prompted developers to kvetch about the fragile state of security.

The occasion for the renewal of what's been a longstanding concern was the publication on Wednesday of an npm security advisory, which should now be showing up as a command line warning among those using npm's "audit" command, or those using npm to install a package that has lodash as a dependency.

That's likely to be a lot of people, given that over 118,000 packages include lodash, which as a result gets downloaded over 26.5m times a week. This despite the fact that lodash probably isn't necessary in many projects today thanks to ongoing additions to the JavaScript language.

The flaw at issue is a prototype pollution attack, by which an attacker can inject properties into the prototype of Object, the basic JavaScript data structure from which almost all other JavaScript objects descend.

Adding or modifying object properties in this way means child objects inherit these properties, which could lead to denial of service or arbitrary code execution under certain circumstances.

Finding bugs in code

Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows

READ MORE

The bug, considered low severity, resides in lodash's zipObjectDeep function and can be exploited by passing the function a set of arrays that includes a specific key value. It was disclosed to bug bounty service Hacker One in October last year and John-David Dalton, the creator and primary maintainer of lodash, appears to have been notified in early December, 2019.

A similar lodash bug affecting the functions merge, mergeWith, and defaultsDeep was disclosed in October 2018 and was the most commonly found vulnerability in commercial open source applications, according to a report from design automation biz Synopsys in May.

There have been two pull requests – lines of corrected code – to fix the security flaw, both of which have been waiting around for about two months to be merged into the lodash project code so an update can be released.

The problem, as one developer observed on Hacker News, is that "There is essentially one (unpaid) person who has power to release lodash, a library that a huge majority of reasonably-sized javascript projects now depend on."

That person is Dalton, who currently works as a UI security engineer at Salesforce and is involved in various other web tech projects. The Register attempted to reach Dalton for comment but we've not heard back.

Dalton is clearly aware there's a bottleneck in the lodash release process – the last time the library was revised was version 4.17.15, which arrived on Jul 17, 2019. In June, via Twitter, he put out a call for volunteers to help him maintain lodash and other projects he has, promising maintainer status for those who respond.

As this story was being written on Thursday afternoon, he merged one of the pull requests to fix the issue, so an update can be expected soon.

You were expecting something more for free software from unpaid volunteers? ®


Biting the hand that feeds IT © 1998–2020