VDB
KO
HIGH 7.2

GHSA-35jh-r3h4-6jhm

Command Injection in lodash

Details

`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / lodash
Introduced in: 0 Fixed in: 4.17.21
Fix npm install lodash@4.17.21
npm / lodash-es
Introduced in: 0 Fixed in: 4.17.21
Fix npm install lodash-es@4.17.21
npm / lodash.template
Introduced in: 0

No fixed version published yet for lodash.template (npm). Pin to a known-safe version or switch to an alternative.

npm / lodash-template
Introduced in: 0

No fixed version published yet for lodash-template (npm). Pin to a known-safe version or switch to an alternative.

RubyGems / lodash-rails
Introduced in: 0 Fixed in: 4.17.21
Fix bundle update lodash-rails

References