VDB
SNYK-JS-LODASHES-2434284
SNYK-JS-LODASHES-2434284
PUBLISHED
CVSS 7.199999809265137 HIGH
## Overview Affected versions of this package are vulnerable to Code Injection via `template`. ### PoC ```js var _ = require('lodash'); _.template('', { variable: '){console.log(process.env)}; with(obj' })() ``` ## Remediation Upgrade `lodash-es` to version 4.17.21 or higher. ## References - [GitHub Commit](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c) - [Vulnerable Code](https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851)
Risk Scores
CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Nov 17, 2020 CVE Updated
- Feb 15, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-LODASHES-2434284 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c patch
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851 technical