Lodash Patches High-Severity Code Injection Vulnerability

In the world of modern JavaScript, Lodash is the undisputed heavyweight champion of utility libraries, providing the modularity and performance that millions of developers rely on daily. However, a new high-severity vulnerability, CVE-2026-4800, has been identified, revealing a dangerous path to Code Injection through one of its most popular features: the _.template function.

With a CVSS score of 8.1, this flaw demonstrates that even a single oversight in data validation can turn a performance tool into a primary attack vector.

The story of this vulnerability begins with a previous fix for CVE-2021-23337. While that update successfully added validation for the variable option within _.template, it failed to apply the same security rigors to the options.imports key names.

Because both of these paths eventually flow into the same Function() constructor sink, the lack of validation on the imports side left the door wide open for exploitation. An attacker who can pass untrusted input into these key names can inject “default-parameter expressions” that execute arbitrary code the moment the template is compiled.

Beyond direct injection, the vulnerability is magnified by how Lodash manages object merging. The _.template function previously used assignInWith to merge imports. This specific method uses a for..in loop, which doesn’t just look at the object’s own properties—it enumerates inherited properties as well.

This creates a dangerous synergy with Prototype Pollution:

• If an attacker has polluted Object.prototype through a completely separate vulnerability, those malicious keys are automatically copied into the imports object.
• These polluted keys are then passed directly to the Function() constructor, leading to unauthorized code execution.

The maintainers of Lodash have released a critical update to address these structural weaknesses. Users are strongly urged to upgrade to version 4.18.0 immediately.

If you cannot upgrade immediately, the primary workaround is strict input control. You must never pass untrusted or user-generated input as key names in options.imports. Instead, ensure that only developer-controlled, static key names are used in your production code.