Description
Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Code injection leading to arbitrary code execution during template compilation
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from the template rendering function in Lodash allowing unvalidated names of keys supplied in the options.imports object. These key names are used to create default-parameter expressions that are compiled with the JavaScript Function constructor. Because no validation is performed on the key names after the core patch for a prior issue, an attacker can supply crafted key names that are interpreted as code and executed at compile time, resulting in arbitrary code execution in the JavaScript runtime. This flaw is a classic code‑injection weakness (CWE‑94) that controls program execution flow.

Affected Systems

The flaw affects multiple Lodash distributions, including the core library (lodash), the AMD build, the ES module build, and the standalone template module. All versions of these packages released before the 4.18.0 patch are considered vulnerable. Users of these packages in Node.js or browser environments that construct templates from potentially untrusted data are at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score is reported below 1%, suggesting that the risk of exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an environment where the application supplies key names for template imports from untrusted sources or where the JavaScript prototype chain has been polluted; either condition allows an attacker to inject malicious code that runs when the template is compiled. The attack would grant full control over the runtime in server‑side or client‑side contexts where the vulnerable code executes.

Generated by OpenCVE AI on April 7, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lodash to version 4.18.0 or later.
  • Replace any code that passes user‑controlled values as key names in options.imports with static, developer‑controlled names.
  • If an immediate upgrade is not feasible, remove or sanitize all untrusted data before it becomes part of the imports object.

Generated by OpenCVE AI on April 7, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
History

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Lodash lodash-amd
CPEs cpe:2.3:a:lodash:lodash-rails:*:*:*:*:*:ruby:*:* cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:*
Vendors & Products Lodash lodash-rails
Lodash lodash-amd

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lodash lodash-es
Lodash lodash-rails
CPEs cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:*
cpe:2.3:a:lodash:lodash-rails:*:*:*:*:*:ruby:*:*
cpe:2.3:a:lodash:lodash.template:*:*:*:*:*:node.js:*:*
cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
Vendors & Products Lodash lodash-es
Lodash lodash-rails

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Lodash
Lodash lodash
Lodash lodash.template
Vendors & Products Lodash
Lodash lodash
Lodash lodash.template

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Title lodash vulnerable to Code Injection via `_.template` imports key names
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Lodash Lodash Lodash-amd Lodash-es Lodash.template
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-31T20:37:03.964Z

Reserved: 2026-03-25T09:12:38.355Z

Link: CVE-2026-4800

cve-icon Vulnrichment

Updated: 2026-03-31T20:36:59.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:29.660

Modified: 2026-05-01T18:09:13.047

Link: CVE-2026-4800

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T19:25:55Z

Links: CVE-2026-4800 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:14Z

Weaknesses