CVE-2021-23337 — Lodash Command Injection HIGH
🔴 CISA KEV
npm
CVSS 7.2 · lodash < 4.17.21 → 4.17.21
Lodash's template function passes user-controlled strings to Function() constructor without sanitization, enabling arbitrary JavaScript execution. If you use _.template() with untrusted input, you are vulnerable.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| lodash | npm | < 4.17.21 | 4.17.21 | Full fix guide → |
How to fix CVE-2021-23337
- Update lodash to 4.17.21
- Run npm install
- Avoid passing user-controlled data to _.template()
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2021-23337 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
How is CVE-2021-23337 different from CVE-2020-8203?
CVE-2020-8203 is prototype pollution. CVE-2021-23337 is command injection via the template function. Both are fixed in lodash 4.17.21.
Do I need to stop using _.template()?
Not necessarily — the fix in 4.17.21 patches the unsafe behavior. However, passing untrusted user input to template functions is inherently risky and should be avoided where possible.
Does lodash 4.17.21 fix both CVEs?
Yes — lodash 4.17.21 addresses both CVE-2020-8203 and CVE-2021-23337.