lodash vulnerable to Code Injection via `_.template` imports key names - lodash-amd
- Severity:
- High
Description
The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Recommendation
Update the lodash-amd package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, <= 4.17.23
- Patched version(s): 4.18.0
References
Related Issues
- lodash vulnerable to Code Injection via `_.template` imports key names - CVE-2026-4800
- lodash vulnerable to Code Injection via `_.template` imports key names - lodash-es - CVE-2026-4800
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
You might also like:
- Tags:
- npm
- lodash-amd
Anything's wrong? Let us know Last updated on April 01, 2026