VulWall Team February 18, 2026 4 min read

Outdated Lodash Library Allows Attackers to Run Malicious Code on Your Server

Your application uses an old version of Lodash (3.10.1), a popular JavaScript helper library. This version has a known security flaw that could allow an attacker with access to your system to run their own commands on your server. Upgrading to the latest version closes this gap completely.

OWASP A06 Effort: small Exploitable
cve lodash command-injection javascript nodejs dependency template

Business Impact And Actions

high urgency

Business Impact

If exploited, an attacker who already has some level of access to your application could escalate that access to run arbitrary commands on your server — potentially reading sensitive data, modifying records, or disrupting your service. This could trigger compliance obligations (e.g., under GDPR or SOC 2) if customer data is accessed. The fix is a straightforward library upgrade.

What To Do

  1. Ask your developer to upgrade the Lodash library to version 4.17.21 or later — this is the official fix and typically takes under an hour.
  2. Ask your developer to check whether Lodash is also pulled in indirectly by other packages (called 'transitive dependencies') and ensure those are updated too.
  3. After the upgrade is deployed, ask your developer to confirm the new version is live using the verification steps in the technical report.
  4. Schedule a recurring dependency review (quarterly is common) so outdated libraries are caught early going forward.

Lodash < 4.17.21 — Command Injection via _.template() (CVE-2021-23337)

high severity CVSS 7.2

Vulnerability Explanation

The _.template() function in Lodash accepted a user-controlled 'variable' option without proper validation. By crafting a malicious value for this option, an attacker could break out of the template sandbox and inject arbitrary JavaScript or OS-level commands that execute in the context of the Node.js process. The attack requires the attacker to control input passed to _.template() — typically meaning they need some authenticated or privileged access to the application, but the impact once triggered is full command execution on the host.

Root Cause

The _.template() function used the 'variable' option to scope template data, but failed to validate or sanitize this value before incorporating it into a dynamically constructed Function() call. This allowed injection of arbitrary code into the generated function body — a classic code injection pattern stemming from unsafe dynamic code generation (CWE-94 / CWE-77).

Technical Impact

A remote authenticated attacker can execute arbitrary OS commands on the server running the Node.js application. Successful exploitation can lead to full confidentiality, integrity, and availability compromise of the affected system — including data exfiltration, data manipulation, and denial of service.

Severity Justification

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H — Network-reachable, low complexity, but requires high privileges. A public proof-of-concept exploit exists, making this realistically exploitable where the preconditions are met.

Affected Components

  • lodash < 4.17.21
  • lodash.template < 4.5.0 (standalone package)

Remediation Steps

  1. Upgrade lodash to 4.17.21 or later in your package.json: run `npm install lodash@latest` or `yarn add lodash@latest`.
  2. If using the standalone `lodash.template` package, upgrade it separately: `npm install lodash.template@latest`.
  3. Check for transitive dependencies that pin an older lodash version: run `npm ls lodash` (or `yarn why lodash`) and use `npm audit fix` or override the version in your package.json `overrides` / `resolutions` field if needed.
  4. Commit the updated package-lock.json or yarn.lock and redeploy your application.
  5. Avoid passing user-controlled input into the `variable` option of _.template() even on patched versions — treat it as an internal configuration value only.

Verification Steps

  1. Run `npm ls lodash` and confirm all resolved versions are 4.17.21 or higher.
  2. Run `npm audit` and verify CVE-2021-23337 no longer appears in the output.
  3. If lodash is bundled into a frontend asset, inspect the built bundle: `grep -r '4\.17\.' dist/` and confirm the version string reflects 4.17.21+.

Code Examples (json)

Vulnerable
// package.json — pinned to vulnerable version
{
  "dependencies": {
    "lodash": "^3.10.1"
  }
}
Fixed
// package.json — upgraded to patched version
{
  "dependencies": {
    "lodash": "^4.17.21"
  }
}

// If a transitive dependency forces an older version, add an override:
{
  "overrides": {
    "lodash": "^4.17.21"
  }
}

Best Practices

  • Never pass user-controlled data into the `variable` option of _.template() — restrict it to static, developer-defined strings.
  • Run `npm audit` as part of your CI/CD pipeline to catch vulnerable dependencies before they reach production.
  • Use a dependency management tool (e.g., Dependabot, Renovate) to receive automated pull requests when new security patches are released.
  • Audit transitive dependencies regularly — many lodash vulnerabilities surface through indirect dependencies, not direct ones.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base