Lodash
Monthly
Remote code execution in Lodash <4.18.0 allows unauthenticated attackers to execute arbitrary JavaScript code during template compilation by injecting malicious key names into options.imports parameter. The vulnerability bypasses the CVE-2021-23337 fix by exploiting an unvalidated code path that flows into the same Function() constructor sink. With CVSS 8.1 (High) and EPSS data not provided, this represents a significant supply chain risk for applications using Lodash's template functionality with untrusted input. No public exploit confirmed at time of analysis, though the technical details in the advisory provide a clear exploitation roadmap.
Remote code execution in Lodash <4.18.0 allows unauthenticated attackers to execute arbitrary JavaScript code during template compilation by injecting malicious key names into options.imports parameter. The vulnerability bypasses the CVE-2021-23337 fix by exploiting an unvalidated code path that flows into the same Function() constructor sink. With CVSS 8.1 (High) and EPSS data not provided, this represents a significant supply chain risk for applications using Lodash's template functionality with untrusted input. No public exploit confirmed at time of analysis, though the technical details in the advisory provide a clear exploitation roadmap.