VDB
SNYK-JS-LODASHTEMPLATE-1088054
SNYK-JS-LODASHTEMPLATE-1088054
PUBLISHED
CVSS 7.199999809265137 HIGH
## Overview [lodash.template](https://www.npmjs.com/package/lodash.template) is a The Lodash method _.template exported as a Node.js module. Affected versions of this package are vulnerable to Code Injection via `template`. ### PoC ```js var _ = require('lodash'); _.template('', { variable: '){console.log(process.env)}; with(obj' })() ``` ## Remediation There is no fixed version for `lodash.template`. ## References - [GitHub Commit](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c) - [Vulnerable Code](https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851)
Risk Scores
CVSS v3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Affected Products
| Vendor | Product | Versions |
|---|---|---|
Timeline
- Nov 17, 2020 CVE Updated
- Feb 15, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.com/package/lodash.template vendor
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c patch
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851 technical