Description
Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

lodash’s _.template function accepts an options.imports object whose keys are directly fed into a Function constructor during compilation. If an attacker can supply untrusted key names (e.g., containing default‑parameter expressions) the constructor evaluates those expressions, allowing arbitrary JavaScript to run. Because _.template also copies inherited properties from Object.prototype via assignInWith, pollution of the prototype can additionally inject malicious keys that are automatically copied into imports. The result is a remote code execution vulnerability classified as CWE‑94.

Affected Systems

All public lodash distributions—lodash, lodash‑amd, lodash‑es, and lodash‑template—are affected when the library version is older than 4.18.0. Applications that import the package through npm, yarn, or other package managers and use _.template with user‑supplied imports are at risk. The fix is to upgrade to 4.18.0 or later for all of these variants.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.1, indicating significant potential impact. Although an EPSS score is not available and the issue is not listed in the CISA KEV catalog, the rationale for exploitation remains strong: any code path that creates templates using untrusted imports can trigger the Function constructor. Attackers can craft malformed key names or employ an existing Object.prototype pollution vector to gain code execution on the host environment where the template is compiled, whether on a server or within client‑side JavaScript.

Generated by OpenCVE AI on April 1, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade lodash, lodash‑amd, lodash‑es, and lodash‑template to 4.18.0 or later.
  • Ensure that all keys supplied to options.imports originate from trusted, static data; do not use user input as key names.
  • Validate or sanitize keys before adding them to options.imports.
  • Strip any custom properties from Object.prototype before using _.template or reset the prototype’s properties that may have been added.
  • Regularly audit the application for uses of _.template with dynamic imports and apply the above controls.

Generated by OpenCVE AI on April 1, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Lodash
Lodash lodash
Lodash lodash.template
Vendors & Products Lodash
Lodash lodash
Lodash lodash.template

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Title lodash vulnerable to Code Injection via `_.template` imports key names
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Lodash Lodash Lodash.template
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-31T20:37:03.964Z

Reserved: 2026-03-25T09:12:38.355Z

Link: CVE-2026-4800

cve-icon Vulnrichment

Updated: 2026-03-31T20:36:59.980Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T20:16:29.660

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-4800

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T19:25:55Z

Links: CVE-2026-4800 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:11:06Z

Weaknesses