Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
In simple words, some programs that use _.flatten or _.isEqual could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows. In affected versions of Underscore, the _.flatten and _.isEqual functions use recursion without a depth limit. …