Why you should stop using lodash and similar?

The pandora box

TLDR;

Lodash has a long history of vulnerabilities, the first one registered was on 23 Apr, 2012 for version 0.1.0

Please have a look at this link https://snyk.io/vuln/npm:lodash

Why people even use lodash

Lodash makes JavaScript easier by taking the hassle out of working with arrays, numbers, objects, strings, etc. Lodash’s modular methods are great for:

• Iterating arrays, objects, & strings
• Manipulating & testing values
• Creating composite functions

Is it really that useful?

In my opinion NO! 👎

Most of the features can be written in plain JS, while other need a bit of overhead.

I think that not using it, you gain 2 things:

1. You learn more advanced JS.
2. The time you spend into learning the lodash library, you can spend it into learning more advanced JS, which will definitely pay later on.

What are the kind of vulnerabilities that lodash introduces?

The worst kind:

1. Prototype Pollution
2. Command Injection

Lets talk a bit about those vulnerabilities

Prototype Pollution

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge
• Property definition by path

Command Injection

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.

So how bad is it?

Extremely bad!!!

1. While developing, the code that you are running is on your computer, think about all the “secrets” that you have on it: passwords, vpns, private documents. A multi stage attack using multiple module updates and multiple packages can be undetectable by antivirus, and it can possibly gain root access .
2. In production can gain access to data from possibly billions of users, like: credit cards, phone number, email, home address and more…

What can we do?

Not much.

We can all try to NOT use lodash or simillike libraries.

Explain to everyone we know why using lodash is a bad idea.

Thank you for reading 🙏.

And remember that you can clap 👏 multiple time.