Skip to content

Withdrawn: Arbitrary code execution in lodash

Low severity Unreviewed Published Dec 3, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

npm lodash (npm)

Affected versions

<= 4.17.21

Patched versions

None

Description

Withdrawn

GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.

CVE description

"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.

References

Published by the National Vulnerability Database Sep 30, 2021
Published to the GitHub Advisory Database Dec 3, 2021
Last updated Feb 1, 2023

Severity

Low

EPSS score

0.602%
(79th percentile)

Weaknesses

CVE ID

CVE-2021-41720

GHSA ID

GHSA-8p5q-j9m2-g8wr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.