Source: node-lodash Version: 4.17.23+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 4.17.21+dfsg+~cs8.31.198.20210220-9
Hi, The following vulnerability was published for node-lodash. CVE-2026-4800[0]: | Impact: The fix for CVE-2021-23337 | (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation | for the variable option in _.template but did not apply the same | validation to options.imports key names. Both paths flow into the | same Function() constructor sink. When an application passes | untrusted input as options.imports key names, an attacker can inject | default-parameter expressions that execute arbitrary code at | template compilation time. Additionally, _.template uses | assignInWith to merge imports, which enumerates inherited properties | via for..in. If Object.prototype has been polluted by any other | vector, the polluted keys are copied into the imports object and | passed to Function(). Patches: Users should upgrade to version | 4.18.0. Workarounds: Do not pass untrusted input as key names in | options.imports. Only use developer-controlled, static key names. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-4800 https://www.cve.org/CVERecord?id=CVE-2026-4800 [1] https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
