Command injection vulnerability in lodash

[sergibondarenko]

https://www.npmjs.com/advisories/1673

Overview
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Remediation
Upgrade to version 4.17.21 or later

Resources
CVE https://nvd.nist.gov/vuln/detail/CVE-2021-23337
GitHub Advisory GHSA-35jh-r3h4-6jhm
Snyk Advisory https://snyk.io/vuln/SNYK-JS-LODASH-1040724

[sergibondarenko]

Ok, it looks like it is not a blocker. The lodash template function is affected by the command injection vulnerability. And the formik doesn't use the template function.

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Details: https://snyk.io/vuln/SNYK-JS-LODASH-1040724

Lodash fix: lodash/lodash@3469357