Lodash Arbitrary Code Execution Vulnerability – Comprehensive Analysis

Overview

Lodash versions ≤ 4.17.21 are vulnerable to Arbitrary Code Execution (ACE) through multiple attack vectors including template injection, prototype pollution, and unsafe path traversal. Our project currently uses lodash 4.17.21 as a direct dependency with extensive usage across the codebase. No patched version exists as of September 2025 - 4.17.21 remains the latest published version since February 2021.

Vulnerability Details

Aspect

Details

CVE

Multiple (template injection, prototype pollution)

Severity

High - Arbitrary Code Execution potential

Affected Versions

All versions ≤ 4.17.21

Current Project Version

4.17.21 (latest available)

Last Update

February 20, 2021

Patched Version

None available