External risk intelligence

lodash Template Import Code Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-4800

This Lodash vulnerability allows arbitrary code execution via untrusted input in options.imports. While Lodash is widely used in web applications, exploitation requires specific insecure coding patterns where user-controlled data is passed directly into template keys. It is not inherently exposed to the internet by design, but its high prevalence makes internet-facing exploitation plausible.

Code Injection

Lodash

4.0.0 to before 4.18.0

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the Lodash JavaScript utility library that could allow attackers to execute arbitrary code. The issue arises when untrusted input is used in specific import key names within the templating function, potentially leading to unauthorized system access. While the vulnerability requires specific conditions to be exploited, its widespread use in web applications necessitates attention.

  • Code execution risk via untrusted input.
  • Widely used library, potential for broad impact.
  • Assess relevance and confirm exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by providing malicious input as key names within the `options.imports` object when using the `_.template` function. This allows them to inject code that executes during template compilation, potentially leading to arbitrary code execution on the server. The vulnerability arises because a fix for a similar issue did not fully validate all import key names, and the function used to merge imports can enumerate inherited properties, further enabling code injection if the prototype has been tampered with.

  • Attacker provides untrusted input.
  • Vulnerable code compiles template with imports.
  • Arbitrary code execution is possible.

Live Threat

Current exploitation, exposure, and threat context

When an application processes untrusted input as key names for `options.imports`, an attacker could inject malicious code that executes during template compilation, potentially leading to arbitrary code execution on the server. This could occur when the application merges import objects, and if the `Object.prototype` has been manipulated, those polluted keys could be passed to the `Function()` constructor.

  • Server-side code execution.
  • Untrusted input in import keys.
  • Compromised application logic.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects applications using lodash's _.template function with untrusted input in `options.imports` key names. Ownership typically lies with the application or platform teams responsible for the code using lodash. The first step is to identify all instances of the affected lodash versions, assess their exposure and criticality, and then plan remediation.

  • Application and platform teams own resolution.
  • Verify untrusted input in `options.imports` keys.
  • Plan and execute the upgrade to the patched version.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Lodash and where is it used?

Lodash is a popular JavaScript utility library that simplifies programming tasks like manipulating arrays, numbers, objects, and strings. It is widely used in Node.js applications and web development to handle complex data operations efficiently. The affected components, including lodash, lodash-es, and lodash.template, are foundational dependencies in many software projects, often integrated into larger frameworks or custom application code to process templates and data structures.

What does CVE-2026-4800 mean for my software?

CVE-2026-4800 is a code injection vulnerability classified as Improper Neutralization of Input During Web Page Generation (CWE-94). It occurs when the library's template function incorrectly handles certain keys. An attacker can use these keys to inject malicious expressions that the application then executes as code during the template compilation process. It effectively allows an attacker to trick the application into running unauthorized commands.

How does an attacker trigger this vulnerability?

An attacker must be able to control the keys passed to the options.imports object within the _.template function. If an application directly accepts untrusted input and uses it as a key name for these imports, the vulnerability can be triggered. Conversely, if an application only uses hardcoded, developer-controlled strings for these keys, or does not use the template functionality with user-provided import definitions, the specific execution path for this bug is not engaged.

Is my application at risk from this CVE?

According to Halo Surface Signal, this vulnerability is considered possible if your application is internet-facing and uses Lodash to process templates with user-supplied input. While the library is not inherently broken, the risk arises when developers inadvertently bridge the gap between untrusted network data and the vulnerable templating logic. You should evaluate if your code passes external request data into the keys of the options.imports object.

What is the recommended first step to fix this?

The primary resolution is to upgrade your Lodash dependency to version 4.18.0 or higher. If an immediate upgrade is not feasible, you must audit your application code to ensure that no untrusted input is ever used as a key name within options.imports. Ensure that only static, developer-defined keys are used in this context to prevent malicious injection during the template compilation process.

References