Skip to content

Withdrawn: Arbitrary code execution in lodash

Low severity Unreviewed Published Dec 3, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

npm lodash (npm)

Affected versions

<= 4.17.21

Patched versions

None

Description

Withdrawn

GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details.

CVE description

"** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.

References

Published by the National Vulnerability Database Sep 30, 2021
Published to the GitHub Advisory Database Dec 3, 2021
Last updated Feb 1, 2023

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(79th percentile)

Weaknesses

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.

CVE ID

CVE-2021-41720

GHSA ID

GHSA-8p5q-j9m2-g8wr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.