Lodash
CVE-2021-23337
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 224 npm packages depend on lodash (119 direct, 110 indirect)
- 1 npm packages depend on lodash-es (1 direct, 0 indirect)
- 38 npm packages depend on lodash-template (13 direct, 25 indirect)
- 2 npm packages depend on lodash.template (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 4.0.0 and other introduced versions.
DescriptionNVD
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
AnalysisAI
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Affected products include: Lodash, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Extensibility Workbench, Oracle Banking Supply Chain Finance. Version information: prior to 4.17.21.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
Server-side code injection in Lodash's _.template function (lodash, lodash-es, lodash-amd and lodash.template, versions
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. Rated critical severity (CVSS 9.1), this vu
Lodash versions up to 4.17.22 is affected by improperly controlled modification of object prototype attributes (prototyp
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Rated high severity (CVSS 7.4), this vul
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. Rated medium severity (CVSS 6.5), th
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaults
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today