Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a critical vulnerability in the Lodash JavaScript utility library that could allow attackers to execute arbitrary code. The issue arises when untrusted input is used in specific import key names within the templating function, potentially leading to unauthorized system access. While the vulnerability requires specific conditions to be exploited, its widespread use in web applications necessitates attention.
- Code execution risk via untrusted input.
- Widely used library, potential for broad impact.
- Assess relevance and confirm exposure.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this vulnerability by providing malicious input as key names within the `options.imports` object when using the `_.template` function. This allows them to inject code that executes during template compilation, potentially leading to arbitrary code execution on the server. The vulnerability arises because a fix for a similar issue did not fully validate all import key names, and the function used to merge imports can enumerate inherited properties, further enabling code injection if the prototype has been tampered with.
- Attacker provides untrusted input.
- Vulnerable code compiles template with imports.
- Arbitrary code execution is possible.
Live Threat
Current exploitation, exposure, and threat context
When an application processes untrusted input as key names for `options.imports`, an attacker could inject malicious code that executes during template compilation, potentially leading to arbitrary code execution on the server. This could occur when the application merges import objects, and if the `Object.prototype` has been manipulated, those polluted keys could be passed to the `Function()` constructor.
- Server-side code execution.
- Untrusted input in import keys.
- Compromised application logic.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability affects applications using lodash's _.template function with untrusted input in `options.imports` key names. Ownership typically lies with the application or platform teams responsible for the code using lodash. The first step is to identify all instances of the affected lodash versions, assess their exposure and criticality, and then plan remediation.
- Application and platform teams own resolution.
- Verify untrusted input in `options.imports` keys.
- Plan and execute the upgrade to the patched version.