lodash vulnerable to Code Injection via `_.template` imports key names
- Severity:
- High
Description
The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Recommendation
Update the lodash package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, <= 4.17.23
- Patched version(s): 4.18.0
References
Related Issues
- lodash vulnerable to Code Injection via `_.template` imports key names - lodash-amd - CVE-2026-4800
- lodash vulnerable to Code Injection via `_.template` imports key names - lodash-es - CVE-2026-4800
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh - CVE-2026-45136
You might also like:
- Tags:
- npm
- lodash
Anything's wrong? Let us know Last updated on April 01, 2026