CVE-2026-4800
Description
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | >= 4.0.0, < 4.18.0 | 4.18.0 |
lodash-esnpm | >= 4.0.0, < 4.18.0 | 4.18.0 |
lodash-amdnpm | >= 4.0.0, < 4.18.0 | 4.18.0 |
lodash.templatenpm | >= 4.0.0, < 4.18.0 | 4.18.0 |
Affected products
4Patches
13469357cff39Prevent command injection through `_.template`'s `variable` option
2 files changed · +28 −1
lodash.js+20 −1 modified@@ -19,7 +19,8 @@ /** Error message constants. */ var CORE_ERROR_TEXT = 'Unsupported core-js use. Try https://npms.io/search?q=ponyfill.', - FUNC_ERROR_TEXT = 'Expected a function'; + FUNC_ERROR_TEXT = 'Expected a function', + INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`'; /** Used to stand-in for `undefined` hash values. */ var HASH_UNDEFINED = '__lodash_hash_undefined__'; @@ -165,6 +166,18 @@ /** Used to match words composed of alphanumeric characters. */ var reAsciiWord = /[^\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]+/g; + /** + * Used to validate the `validate` option in `_.template` variable. + * + * Forbids characters which could potentially change the meaning of the function argument definition: + * - "()," (modification of function parameters) + * - "=" (default value) + * - "[]{}" (destructuring of function parameters) + * - "/" (beginning of a comment) + * - whitespace + */ + var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/; + /** Used to match backslashes in property paths. */ var reEscapeChar = /\\(\\)?/g; @@ -14866,6 +14879,12 @@ if (!variable) { source = 'with (obj) {\n' + source + '\n}\n'; } + // Throw an error if a forbidden character was found in `variable`, to prevent + // potential command injection attacks. + else if (reForbiddenIdentifierChars.test(variable)) { + throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT); + } + // Cleanup code by stripping empty strings. source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source) .replace(reEmptyStringMiddle, '$1')
test/test.js+8 −0 modified@@ -22296,6 +22296,14 @@ } }); + QUnit.test('should forbid code injection through the "variable" options', function(assert) { + assert.expect(1); + + assert.raises(function () { + _.template('', { 'variable': '){console.log(process.env)}; with(obj' }); + }); + }); + QUnit.test('should support custom delimiters', function(assert) { assert.expect(2);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-35jh-r3h4-6jhmnvdNot ApplicableADVISORY
- github.com/advisories/GHSA-r5fr-rjxr-66jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4800ghsaADVISORY
- github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1cnvdNot ApplicableWEB
- github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jcghsaWEB
News mentions
0No linked articles in our index yet.