typicode / lowdb

Simple and fast JSON database
MIT License
21.49k stars 923 forks source link

[Security] Black duck scan security issue #516

Closed SrinuPedireddi closed 2 years ago

SrinuPedireddi commented 2 years ago

Hi Team,

We are facing below Black duck scan security issue with lowdb package. Please check below screenshot and issue details and kindly suggest the solution or next steps for the same.

CVE-2021-41720 Description : DISPUTED A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input. image

luukdv commented 2 years ago

Looks like the security issue comes from lodash, not lowdb.