Skip to content

fix(security): Fix critical issue in lodash-es via minor version upgrade from 4.17.21 to 4.18.1#1707

Draft
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-22734870-iqtj
Draft

fix(security): Fix critical issue in lodash-es via minor version upgrade from 4.17.21 to 4.18.1#1707
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-22734870-iqtj

Conversation

@aikido-autofix
Copy link
Copy Markdown
Contributor

@aikido-autofix aikido-autofix Bot commented Apr 11, 2026

Upgrade lodash-es to fix critical RCE vulnerability in _.template where untrusted imports key names can execute arbitrary code via Function() constructor injection.

✅ 1 CVE resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-4800
 
🚨 CRITICAL
 [lodash-es] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.

@aikido-autofix aikido-autofix Bot added the Aikido Label created by Aikido AutoFix label Apr 11, 2026
@lifi-action-bot lifi-action-bot marked this pull request as draft April 11, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Aikido Label created by Aikido AutoFix AuditNotRequired

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lifi-action-bot