CVE-2026-4800
Prototype pollution vulnerability in lodash (npm)
What is CVE-2026-4800 About?
This prototype pollution vulnerability in Lodash affects versions prior to 4.18.0, specifically within `_.template`'s `options.imports` key names. An attacker can inject default-parameter expressions to execute arbitrary code during template compilation, or leverage existing prototype pollution via `assignInWith`. This allows for remote code execution or denial of service when untrusted input influences template imports.
Affected Software
- lodash
- >=4.0.0, <4.18.0
- lodash-es
- >=4.0.0, <4.18.0
- lodash-amd
- >=4.0.0, <4.18.0
- lodash.template
- >=4.0.0, <4.18.0
Technical Details
The fix for CVE-2021-23337 addressed validation for the variable option in _.template but failed to apply the same validation to options.imports key names. Both code paths ultimately feed into the same Function() constructor. When untrusted input is passed as options.imports key names, an attacker can inject crafted default-parameter expressions within these key names. These expressions are then executed as arbitrary code when the template is compiled, leading to arbitrary code execution. Additionally, _.template utilizes assignInWith to merge imports; this method enumerates inherited properties, meaning if Object.prototype is already polluted by another vector, those polluted keys are copied into the imports object and subsequently passed to Function(), amplifying the impact of pre-existing pollution.
What is the Impact of CVE-2026-4800?
Successful exploitation may allow attackers to execute arbitrary code at template compilation time, leading to remote code execution, or leverage existing prototype pollution to further compromise the application's integrity.
What is the Exploitability of CVE-2026-4800?
Exploitation requires the application to use _.template and pass untrusted input specifically as key names within the options.imports object. While no authentication is explicitly mentioned, the attack is likely local to the application's processing of data, rather than a direct remote network exploit. The complexity of crafting the malicious options.imports key names to execute arbitrary code is moderate to high, requiring specific knowledge of JavaScript and how default-parameter expressions can be abused in Function() constructors. The existence of a proof-of-concept increases the likelihood of exploitation. The risk factors include processing untrusted templates or user-supplied configuration that influences template imports. If Object.prototype is already polluted via another vulnerability, this issue could be easier to exploit to achieve further impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| threalwinky | Link | PoC for CVE-2026-4800 |
What are the Available Fixes for CVE-2026-4800?
Available Upgrade Options
- lodash-amd
- >=4.0.0, <4.18.0 → Upgrade to 4.18.0
- lodash
- >=4.0.0, <4.18.0 → Upgrade to 4.18.0
- lodash.template
- >=4.0.0, <4.18.0 → Upgrade to 4.18.0
- lodash-es
- >=4.0.0, <4.18.0 → Upgrade to 4.18.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/lodash/lodash
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://cna.openjsf.org/security-advisories.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-4800
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://cna.openjsf.org/security-advisories.html
- https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
- https://osv.dev/vulnerability/GHSA-r5fr-rjxr-66jc
What are Similar Vulnerabilities to CVE-2026-4800?
Similar Vulnerabilities: CVE-2021-23337 , CVE-2020-28500 , CVE-2019-10744 , CVE-2020-8203 , CVE-2019-10740
