VulnerableCode Package Details - pkg:npm/lodash.template@4.18.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-an5j-y3cq-gbfx	lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.	CVE-2026-4800 GHSA-r5fr-rjxr-66jc

Vulnerability

Summary

Aliases

VCID-an5j-y3cq-gbfx

lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.

CVE-2026-4800
GHSA-r5fr-rjxr-66jc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:01:39.154718+00:00	GHSA Importer	Fixing	VCID-an5j-y3cq-gbfx	https://github.com/advisories/GHSA-r5fr-rjxr-66jc	38.1.0
2026-04-02T12:52:52.793345+00:00	GithubOSV Importer	Fixing	VCID-an5j-y3cq-gbfx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5fr-rjxr-66jc/GHSA-r5fr-rjxr-66jc.json	38.0.0

2026-04-02T17:01:39.154718+00:00

GHSA Importer

Fixing

VCID-an5j-y3cq-gbfx

https://github.com/advisories/GHSA-r5fr-rjxr-66jc

38.1.0

2026-04-02T12:52:52.793345+00:00

GithubOSV Importer

Fixing

VCID-an5j-y3cq-gbfx

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r5fr-rjxr-66jc/GHSA-r5fr-rjxr-66jc.json

38.0.0