Aikido Intel
Secure My Code
Intel

CVE-2021-23358

underscore is vulnerable to Arbitrary Code Injection

Arbitrary Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Mar 29, 2021

0

Low Risk

This Affects:

underscore
Are you affected? Scan for Free

TL;DR

Underscore is a JavaScript utility library that provides a range of functional programming helpers. Since a variable property is passed as an argument without being sanitized the library is vulnerable to Arbitrary Code Injection which might lead to the execution of arbitrary code or to leverage executable code in non-executable files.

Who does this affect?

You're affected by this flaw if you or an underlying library allows external input without proper sanitization to be handled by such packages

Background info

underscore is vulnerable to Arbitrary Code Injection in versions < 1.12.1 and < 1.13.0-2.

How to fix this

To fix the vulnerability you should upgrade underscore at least to version 1.13.1 and sanitize all the arguments you provide to packages that might use this library. As a good practice, we recommend always validating and limiting any input received from external sources to avoid any kind of injection.

Links

github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E
lists.debian.org/debian-lts-announce/2021/03/msg00038.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
debian.org/security/2021/dsa-4883
https://www.debian.org/security/2021/dsa-4883
tenable.com/security/tns-2021-14
https://www.tenable.com/security/tns-2021-14
seclists.org/fulldisclosure/2025/Apr/14
http://seclists.org/fulldisclosure/2025/Apr/14
security.netapp.com/advisory/ntap-20240808-0003/
https://security.netapp.com/advisory/ntap-20240808-0003/

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done