VulnerableCode Package Details - pkg:npm/lodash.template@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-an5j-y3cq-gbfx Aliases: CVE-2026-4800 GHSA-r5fr-rjxr-66jc	lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.	4.18.0 Affected by 0 other vulnerabilities.
VCID-dzeb-zu9x-g3bq Aliases: CVE-2019-10744 GHSA-jf85-cpcp-j695	Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.	4.5.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fhw1-4c1k-sfh3 Aliases: CVE-2021-23337 GHSA-35jh-r3h4-6jhm	Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-an5j-y3cq-gbfx
Aliases:
CVE-2026-4800
GHSA-r5fr-rjxr-66jc

lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.

4.18.0
Affected by 0 other vulnerabilities.

VCID-dzeb-zu9x-g3bq
Aliases:
CVE-2019-10744
GHSA-jf85-cpcp-j695

Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

4.5.0
Affected by 1 other vulnerability.

VCID-fhw1-4c1k-sfh3
Aliases:
CVE-2021-23337
GHSA-35jh-r3h4-6jhm

Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:22:16.753921+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2021-23337.yml	38.4.0
2026-04-16T20:56:00.150384+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2019-10744.yml	38.4.0
2026-04-16T01:44:02.220731+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.4.0
2026-04-11T22:34:48.755771+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2021-23337.yml	38.3.0
2026-04-11T22:07:01.588812+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2019-10744.yml	38.3.0
2026-04-11T13:13:14.672785+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.3.0
2026-04-02T22:45:56.612685+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2021-23337.yml	38.1.0
2026-04-02T22:19:48.884953+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2019-10744.yml	38.1.0
2026-04-02T17:01:39.151239+00:00	GHSA Importer	Affected by	VCID-an5j-y3cq-gbfx	https://github.com/advisories/GHSA-r5fr-rjxr-66jc	38.1.0
2026-04-02T14:04:38.621957+00:00	GHSA Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://github.com/advisories/GHSA-35jh-r3h4-6jhm	38.1.0
2026-04-01T17:03:50.142527+00:00	GitLab Importer	Affected by	VCID-fhw1-4c1k-sfh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2021-23337.yml	38.0.0
2026-04-01T16:37:35.496203+00:00	GitLab Importer	Affected by	VCID-dzeb-zu9x-g3bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash.template/CVE-2019-10744.yml	38.0.0