MORPH
SIGN IN SIGN UP
morphadmin / lodash-bench

A modern JavaScript utility library delivering modularity, performance, & extras.

0 0 2 JavaScript

[Security Critical] _.template() compiles untrusted input as executable code (CVE-2021-23337 / CWE-94) #3

open bhaktateas opened this issue · 0 comments
bhaktateas bhaktateas commented

Summary

The bundled lodash.js (v4.17.23) includes _.template(), which compiles template strings into live JavaScript functions using new Function(...). The function is explicitly acknowledged as insecure in the project's own threat-model.md and is associated with CVE-2021-23337 (CVSS 7.2 HIGH).

Affected File

File Lines Description
lodash.js ~14885–15050 _.template() implementation using new Function(importsKeys, sourceURL + 'return ' + source)
lodash.js ~1750–1813 templateSettings with evaluate delimiter (<% ... %>) enabling arbitrary JS execution
threat-model.md entire file Self-documents _.template as insecure and slated for removal in v5

Technical Detail

_.template() works by:

  1. Parsing the template string for <% ... %> (evaluate), <%= ... %> (interpolate), and <%- ... %> (escape) delimiters.
  2. Building a JavaScript source string from that input.
  3. Executing it via new Function(...) — equivalent to eval().

If an attacker controls the template string or the variable option, arbitrary JavaScript can be injected and executed in the same privilege context as the calling application.

The library's own documentation (threat-model.md) states:

"The current implementation of _.template compiles template strings into executable code, which can lead to code injection when given untrusted input (e.g., CVE-2021-23337). For that reason we consider it insecure and advise against its use."

CVE Reference

  • CVE-2021-23337 — Command Injection via _.template in lodash < 4.17.21

Recommendation

  1. Do not pass user-controlled data as the template string to _.template().
  2. If template rendering is required, migrate to a safe, sandboxed alternative (e.g., mustache, handlebars with strict escaping).
  3. Plan removal of _.template usage ahead of the Lodash v5 upgrade, which will drop this function entirely.
  4. Add a linting rule (e.g., eslint-plugin-security) to flag _.template usage in the codebase.

Severity

Critical — Code injection / RCE if untrusted input reaches _.template().

Reported by Morph Code automated security scanner.

ADD COMMENT