CVE-2021-23337

HIGH NUCLEI

Lodash <4.17.21 - Command Injection

Title source: llm

Description

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Exploits (1)

nomisec STUB
by khayashi4337 · poc
https://github.com/khayashi4337/lodash.template-fixed

Nuclei Templates (1)

Lodash Template - Server-Side Template Injection (RCE)
HIGHVERIFIEDby DhiyaneshDk
Shodan: http.component:"lodash"
FOFA: body="lodash"

References (13)

Scores

CVSS v3 7.2
EPSS 0.0431
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (47)
lodash/lodash < 4.17.21
netapp/active_iq_unified_manager (3 CPE variants)
netapp/cloud_manager
netapp/system_manager 9.0
npm/lodash 0 - 4.17.21npm
npm/lodash-es 0 - 4.17.21npm
npm/lodash-template 0npm
npm/lodash.template 0npm
oracle/banking_corporate_lending_process_management 14.2.0
oracle/banking_corporate_lending_process_management 14.3.0
... and 37 more
Published Feb 15, 2021
Tracked Since Feb 18, 2026