Lodash fixes code injection in _.template imports

2 min readPublished 31 Mar 2026Updated 31 Mar 2026Source: CVEProject (cvelistV5)

CVE-2026-4800 News JavaScript Web Security

TL;DR — A lodash _.template option-handling gap can let attacker-controlled options.imports key names reach a Function() sink, enabling code execution during template compilation in vulnerable apps.

What happened

lodash is a widely used JavaScript utility library; its _.template feature compiles templates into executable JavaScript.

CVE-2026-4800 describes a code injection issue in _.template where validation added for a prior bug did not apply to options.imports key names, even though both the variable option path and the imports path ultimately flow into the same Function() constructor sink. If an application passes untrusted input as key names in options.imports, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

The CVE also calls out a second, compounding risk: _.template uses assignInWith to merge imports via for..in, which enumerates inherited properties. If Object.prototype has already been polluted by some other vector, polluted keys can be copied into the imports object and then passed onward toward Function().

This matters because lodash is deeply embedded across server-side and tooling codebases, and template-compilation surfaces often sit at the boundary between “data” and “code” — the exact fault line attackers target when they can influence configuration objects or metadata structures.

Who is impacted

Any codebase that uses _.template and constructs options.imports from user/tenant-controlled data.
Affected packages and ranges per the CVE record:

Package	Affected versions	Patched version (per CVE record)
`lodash`	`>= 4.0.0, < 4.18.0`	`4.18.0`
`lodash-es`	`>= 4.0.0, < 4.18.0`	`4.18.0`
`lodash-amd`	`>= 4.0.0, < 4.18.0`	`4.18.0`
`lodash.template`	`>= 4.0.0, < 4.18.0`	`4.18.0`

Severity in the CVE record is CVSS v3.1 8.1 (High).

What to do now

Follow vendor remediation guidance and apply the patched release.
- "Users should upgrade to version 4.18.0."
Audit for high-risk usage patterns:
- Identify _.template(...) callsites and inspect whether you ever pass options.imports.
- Treat any path that derives options.imports keys from request data, database fields, tenant configuration, or plugin metadata as suspect.
Apply the CVE’s documented workaround guidance in any area you cannot immediately patch:
- "Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names."
Assume prototype pollution can convert “low-risk” merge helpers into code-execution primitives when paired with dynamic code generation:
- Review your object merge/copy utilities (including for..in enumeration) and enforce prototype-pollution hardening where feasible, especially in code paths that feed template compilation or other code-generation features.

Additional Information

The CVE record references the earlier fix context for CVE-2021-23337 via GHSA-35jh-r3h4-6jhm.
OpenJS CNA advisory index referenced by the CVE: https://cna.openjsf.org/security-advisories.html.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.