Vulnerability
Severity: HIGH
Package: lodash@4.17.21
Advisory: GHSA-r5fr-rjxr-66jc — CVSS 8.1
Affected component: core
Dependency type: transitive
Dependency chains:
pmxt-core → @nevuamarkets/poly-websockets (peerDep) → lodash@4.17.21
pmxt-core → @openapitools/openapi-generator-cli (devDep) → inquirer@8.2.7 → lodash@4.17.21
Description
lodash ≤4.17.23 is vulnerable to code injection via the _.template function. If an attacker controls the imports keys passed to a lodash template, arbitrary JavaScript code can be executed in the host process. The vulnerability is in the template compilation path.
Fix
Recommended version: No released patch exists for lodash v4 (4.17.21 is the current latest; 4.17.22/4.17.23 are not published). The npm audit fix --force path requires updating upstream packages that depend on lodash.
Fix command:
# Force-update upstream packages to resolve lodash transitively
npm update @nevuamarkets/poly-websockets @openapitools/openapi-generator-cli
If lodash v4 remains pinned by an upstream, consider replacing the dependency with lodash-es, just-* utilities, or waiting for upstream to upgrade.
Risk Assessment
The code injection in _.template requires that attacker-controlled data is passed as template imports keys. If neither @nevuamarkets/poly-websockets nor @openapitools/openapi-generator-cli pass untrusted data to _.template, the practical exploitability is low. However, since lodash v4 is effectively unmaintained and no fix version exists, this dependency should be considered for removal or replacement. The devDep path (openapi-generator-cli) is lower priority than the runtime path via @nevuamarkets/poly-websockets.
Found by automated dependency vulnerability scan
Vulnerability
Severity: HIGH
Package: lodash@4.17.21
Advisory: GHSA-r5fr-rjxr-66jc — CVSS 8.1
Affected component: core
Dependency type: transitive
Dependency chains:
Description
lodash≤4.17.23 is vulnerable to code injection via the_.templatefunction. If an attacker controls theimportskeys passed to a lodash template, arbitrary JavaScript code can be executed in the host process. The vulnerability is in the template compilation path.Fix
Recommended version: No released patch exists for lodash v4 (4.17.21 is the current latest; 4.17.22/4.17.23 are not published). The
npm audit fix --forcepath requires updating upstream packages that depend on lodash.Fix command:
If lodash v4 remains pinned by an upstream, consider replacing the dependency with
lodash-es,just-*utilities, or waiting for upstream to upgrade.Risk Assessment
The code injection in
_.templaterequires that attacker-controlled data is passed as templateimportskeys. If neither@nevuamarkets/poly-websocketsnor@openapitools/openapi-generator-clipass untrusted data to_.template, the practical exploitability is low. However, since lodash v4 is effectively unmaintained and no fix version exists, this dependency should be considered for removal or replacement. The devDep path (openapi-generator-cli) is lower priority than the runtime path via@nevuamarkets/poly-websockets.Found by automated dependency vulnerability scan