CVE-2021-23358

LOW

underscore 1.3.2-1.12.1 - Arbitrary Code Injection via Template Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-23358. PoCs published by EkamSinghWalia, MehdiBoukhobza.

AI-analyzed exploit summary This repository contains a detection script for CVE-2021-23358, which checks for vulnerable versions of the Underscore.js library in various paths and npm installations. It does not exploit the vulnerability but scans for its presence.

Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Exploits (2)

nomisec SCANNER 2 stars
by EkamSinghWalia · poc
https://github.com/EkamSinghWalia/Detection-script-for-cve-2021-23358

This repository contains a detection script for CVE-2021-23358, which checks for vulnerable versions of the Underscore.js library in various paths and npm installations. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Underscore.js (versions 1.13.0-0 to 1.13.0-2, 1.3.2 to 1.12.1)
No auth needed
Prerequisites: Access to the target system's file system and npm installation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by MehdiBoukhobza · poc
https://github.com/MehdiBoukhobza/SandBox_CVE-2021-23358

This repository contains a functional PoC for CVE-2021-23358, demonstrating a code injection vulnerability in the Underscore.js library. The exploit leverages the `_.templateSettings.variable` property to execute arbitrary code when processing templates.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Underscore.js versions 1.3.0-1.13.0
No auth needed
Prerequisites: Node.js environment with vulnerable Underscore.js version
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (18)

Core 18
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4883
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14

Scores

CVSS v3 3.3
EPSS 0.0141
EPSS Percentile 81.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (7)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 33
fedoraproject/fedora 34
npm/underscore 1.3.2 - 1.12.1npm
tenable/tenable.sc < 5.18.0
underscorejs/underscore 1.3.2 - 1.12.1
Published Mar 29, 2021
Tracked Since Feb 18, 2026