Command Injection [High Severity] vulnerability in the lodash.template dependency

[rushabhshah1993]

Version

2.7.14

Reproduction link

gitlab.com
SNYK issue link

Steps to reproduce

The issue can be reproduced by completing the following steps:

1. Use the CLI tool of "Snyk" (https://snyk.io/) or "Tenable" (https://www.tenable.com/) on a repository built on Vue 2.
2. When you use the CLI tool to check for vulnerabilities, you will find the vulnerability checker raises a high severity issue for the "lodash.template" package which is a dependency for the "vue-server-renderer" package.

What is expected?

It should not raise a vulnerability issue for the above-mentioned package.

What is actually happening?

It raises a high-severity issue for the above-mentioned package.

---

While running a security check for the packages used in our company's repository using SNYK and Tenable, it returned a high-severity issue for the "lodash.template" package (v4.5.0) which is introduced as a part of the "vue-server-renderer" package (v2.7.14). Our CI/CD pipelines are introducing a rule which would not allow a deployment to execute if there are high-severity vulnerabilities in the repository.

[posva]

Vue Server renderer has fixed options passed to lodash.template and it doesn't include variable which is the source of the problem (https://security.snyk.io/package/npm/lodash.template/4.5.0). So this is fine ✅