CVE-2021-23358 Overview
CVE-2021-23358 is an Arbitrary Code Injection vulnerability affecting the Underscore.js JavaScript utility library. The vulnerability exists in the template function, which fails to properly sanitize user-controlled input when a variable property is passed as an argument. This allows attackers with privileged access to inject and execute arbitrary code within the context of the application.
Underscore.js is one of the most widely used JavaScript utility libraries, providing functional programming helpers that are extensively used in both client-side and server-side applications. The widespread adoption of this library across enterprise applications, including products from Tenable, Apache Cordova, and various Linux distributions, significantly amplifies the potential impact of this vulnerability.
Critical Impact
Attackers with network access can achieve arbitrary code execution by exploiting the unsanitized template function, potentially leading to complete system compromise, data exfiltration, or lateral movement within affected environments.
Affected Products
- Underscore.js versions 1.13.0-0 to before 1.13.0-2
- Underscore.js versions 1.3.2 to before 1.12.1
- Debian Linux 9.0 and 10.0
- Tenable.sc (affected versions per TNS-2021-14)
- Fedora 33 and 34
Discovery Timeline
- March 29, 2021 - CVE-2021-23358 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2021-23358
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw resides in the template function of the Underscore.js library, which is commonly used for generating dynamic HTML or text by interpolating data into template strings.
The core issue is that the template function does not adequately sanitize variable properties passed as arguments. When user-controlled input reaches this function without proper validation, an attacker can craft malicious payloads that break out of the intended template context and inject arbitrary JavaScript code.
The vulnerability requires privileged access to exploit, meaning an attacker must have some level of authenticated access or control over input that reaches the vulnerable function. However, once exploited, the attacker gains the ability to execute arbitrary code with the privileges of the application, which could lead to full system compromise.
Root Cause
The root cause of CVE-2021-23358 lies in the template compilation logic within Underscore.js. The template function dynamically constructs JavaScript code from template strings and data objects. When processing variable properties, the function fails to escape or validate special characters that could be interpreted as code delimiters or executable statements.
Specifically, the vulnerable code path in template.js constructs executable code by concatenating user-supplied values without proper encoding, allowing specially crafted input to escape the string context and inject executable JavaScript statements.
Attack Vector
The attack is network-accessible and requires no user interaction. An attacker with elevated privileges can exploit this vulnerability by:
- Identifying application endpoints or functionality that utilize Underscore.js templates with user-controllable data
- Crafting a malicious payload containing JavaScript code disguised as template variable values
- Submitting the payload through the identified input vector
- The template function processes the input, inadvertently executing the injected code
The exploitation does not require complex techniques and can be accomplished once an attacker identifies a viable injection point. The impact includes full confidentiality, integrity, and availability compromise of the affected system.
The vulnerability mechanism involves the template function failing to sanitize variable properties before code generation. When user-controlled data flows into template compilation, attackers can inject JavaScript statements that execute during template rendering. For detailed technical analysis of the vulnerable code path, refer to the GitHub Source Code Reference and the Snyk Vulnerability Report.
Detection Methods for CVE-2021-23358
Indicators of Compromise
- Unusual template rendering errors or exceptions in application logs indicating malformed template input
- Unexpected outbound network connections from Node.js or browser-based JavaScript applications
- Evidence of arbitrary command execution in system logs correlating with template processing activity
- Anomalous process spawning from Node.js processes or web server contexts
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable Underscore.js versions in application dependencies
- Monitor application logs for template-related exceptions that may indicate exploitation attempts
- Deploy runtime application self-protection (RASP) solutions to detect code injection patterns
- Utilize network monitoring to identify suspicious outbound traffic from application servers
Monitoring Recommendations
- Enable verbose logging for applications utilizing Underscore.js templates
- Configure security information and event management (SIEM) rules to alert on code injection patterns in web application logs
- Monitor package manager manifests (package.json, package-lock.json) for vulnerable Underscore.js versions
- Implement dependency scanning in CI/CD pipelines to catch vulnerable versions before deployment
How to Mitigate CVE-2021-23358
Immediate Actions Required
- Audit all applications and dependencies for vulnerable Underscore.js versions (1.3.2 to 1.12.0 and 1.13.0-0 to 1.13.0-1)
- Upgrade Underscore.js to version 1.12.1 or 1.13.0-2 or later immediately
- Implement input validation and sanitization for any data flowing into template functions
- Consider replacing Underscore.js with actively maintained alternatives like Lodash if feasible
Patch Information
The vulnerability has been addressed in Underscore.js versions 1.12.1 and 1.13.0-2. Organizations should update to these versions or later to remediate the vulnerability. Multiple vendor-specific patches have also been released:
- Debian Security Advisory DSA-4883 - Provides patched packages for Debian systems
- Debian LTS Announcement - Security update for Debian LTS
- Tenable Security Advisory TNS-2021-14 - Tenable.sc specific remediation
- Fedora Package Announcements - Updated packages for Fedora 33 and 34
- NetApp Security Advisory - NetApp product remediation guidance
Workarounds
- Avoid passing user-controlled data directly to the Underscore.js template function
- Implement strict input validation and sanitization before template processing
- Use Content Security Policy (CSP) headers to mitigate the impact of code injection
- Consider using template engines with built-in auto-escaping capabilities as an alternative
# Update Underscore.js using npm
npm update underscore
# Or install a specific patched version
npm install underscore@1.13.1
# Verify installed version
npm list underscore
# For yarn users
yarn upgrade underscore@^1.13.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
