CVE-2021-23337 Overview
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Lodash is one of the most widely-used JavaScript utility libraries, providing helpful methods for manipulating arrays, objects, strings, and more. This vulnerability allows authenticated attackers with high privileges to execute arbitrary commands on systems where user-controlled input is passed to the _.template() function without proper sanitization.
Critical Impact
Authenticated attackers can achieve remote code execution by injecting malicious commands through the Lodash template function, potentially leading to complete system compromise, data exfiltration, or lateral movement within affected environments.
Affected Products
- Lodash versions prior to 4.17.21
- Oracle Banking Corporate Lending Process Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Banking Credit Facilities Process Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Banking Extensibility Workbench (14.2.0, 14.3.0, 14.5.0)
- Oracle Communications Cloud Native Core Binding Support Function (1.9.0)
- Oracle Communications Cloud Native Core Policy (1.11.0)
- Oracle PeopleSoft Enterprise PeopleTools (8.58, 8.59)
- Oracle Primavera Gateway and Primavera Unifier (multiple versions)
- NetApp Active IQ Unified Manager, Cloud Manager, and System Manager
- Siemens SINEC INS (versions prior to 1.0 SP2)
Discovery Timeline
- February 15, 2021 - CVE-2021-23337 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-23337
Vulnerability Analysis
The vulnerability exists in the Lodash _.template() function, which compiles JavaScript template strings into functions that can be executed. This function is designed to interpolate data properties into template placeholders, but it uses JavaScript's Function constructor internally to generate the compiled template. When user-controlled input is passed to the template function without proper sanitization, an attacker can inject arbitrary JavaScript code that executes within the Node.js runtime context.
The attack requires high privileges (authenticated access) but can be executed remotely over a network with no user interaction required. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause is improper input validation (CWE-94: Code Injection) in the template compilation process. The _.template() function dynamically constructs JavaScript code from template strings and executes it using the Function constructor. When template options or interpolation delimiters contain malicious code, this code is included in the generated function and executed during template rendering.
The vulnerability specifically occurs because the template function does not adequately sanitize or escape special characters and code sequences within the template source or options, allowing attackers to break out of the intended template context and inject arbitrary commands.
Attack Vector
An attacker with authenticated access to an application using vulnerable Lodash versions can exploit this vulnerability by:
- Identifying application endpoints that process user input through Lodash's _.template() function
- Crafting malicious input containing JavaScript code injection payloads
- Submitting the payload through the identified entry points
- The injected code executes within the Node.js process context, enabling command execution
The attack is network-accessible and requires no user interaction beyond the attacker's own actions. The vulnerability mechanism involves injecting code through template options or interpolation patterns that get evaluated by the JavaScript Function constructor during template compilation.
For technical implementation details, refer to the Snyk vulnerability report for SNYK-JS-LODASH-1040724 and the GitHub Lodash source code.
Detection Methods for CVE-2021-23337
Indicators of Compromise
- Unexpected child processes spawned from Node.js applications using Lodash
- Unusual network connections originating from Node.js server processes
- Suspicious command execution patterns in application logs, particularly associated with template rendering functions
- Anomalous file system modifications or data exfiltration attempts from web application contexts
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable Lodash versions (prior to 4.17.21) in your dependency trees
- Monitor application logs for unusual template rendering errors or exceptions that may indicate injection attempts
- Deploy runtime application self-protection (RASP) solutions to detect code injection attempts at the application layer
- Configure Web Application Firewalls (WAF) to flag requests containing suspicious template injection patterns
Monitoring Recommendations
- Enable detailed logging for applications using Lodash template functionality
- Monitor process creation events for Node.js applications, alerting on unexpected child processes
- Implement file integrity monitoring on systems running affected applications
- Track network connections from application servers to detect potential command-and-control communications
How to Mitigate CVE-2021-23337
Immediate Actions Required
- Upgrade Lodash to version 4.17.21 or later across all affected applications and dependencies
- Audit your codebase to identify all uses of _.template() with user-controlled input
- Implement strict input validation and sanitization for any data passed to template functions
- Review and update transitive dependencies that may bundle vulnerable Lodash versions
Patch Information
The vulnerability is addressed in Lodash version 4.17.21. Organizations should update their package.json dependencies and run npm update or yarn upgrade to pull in the patched version. For applications with locked dependency versions, explicit updates may be required.
Multiple vendors have released security advisories with patch information:
- Oracle Security Alert CPU July 2021
- Oracle Security Alert CPU October 2021
- Oracle Security Alert CPU January 2022
- Oracle Security Alert CPU July 2022
- Siemens Security Advisory SSA-637483
- NetApp Security Advisory NTAP-20210312-0006
Workarounds
- Avoid using _.template() with any user-controlled input until patching is complete
- Implement server-side template rendering in a sandboxed environment with restricted permissions
- Use alternative template engines that do not rely on dynamic code evaluation
- Apply Content Security Policy (CSP) headers to limit the impact of code injection in browser contexts
# Update Lodash to patched version
npm update lodash --depth 9999
# Verify installed version
npm list lodash
# Expected output should show lodash@4.17.21 or higher
# For yarn users
yarn upgrade lodash@^4.17.21
yarn why lodash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
