CVE-2021-23358: Underscore.js Template Function Arbitrary Code Injection Vulnerability

CVE-2021-23358 identifies a critical arbitrary code injection vulnerability in Underscore.js library that enables attackers to execute malicious code through the template function when variable properties are passed without proper sanitization. This vulnerability affects Underscore.js versions 1.13.0-0 through 1.13.0-1 and 1.3.2 through 1.12.0, achieving a CVSS score of 7.2 (High severity) according to NVD, though Snyk assessed it as 3.3 (Low), with an EPSS score of 75.6 percentile and 1% exploitation probability, indicating significant attack potential for JavaScript applications using vulnerable template functionality. The vulnerability details reveal that the template function's settings.variable parameter lacks proper input validation, allowing attackers to inject malicious JavaScript code that executes during template compilation through the new Function() constructor when they can control _.templateSettings.variable values. This creates substantial exploit risk for JavaScript applications and Node.js services that process user-controlled template variables, particularly affecting web applications with dynamic templating features, content management systems using Underscore.js for rendering, and applications that allow user-defined template configurations without adequate input sanitization. The technical root cause lies in Underscore.js template function's insufficient validation of the settings.variable parameter, where the absence of bareIdentifier regex validation enables code injection through crafted variable names, classified as CWE-94 (Improper Control of Generation of Code), creating a vector for known exploited vulnerabilities targeting JavaScript template processing systems. The vulnerability specifically affects the interaction between _.templateSettings.variable handling and template compilation, where malicious input can escape normal template boundaries and execute arbitrary JavaScript code in the context of the application runtime environment. With over 38 affected packages including pki-core components and widespread adoption across JavaScript ecosystems, this vulnerability demonstrates the critical importance of input validation in popular utility libraries. Mitigation strategies require upgrading to Underscore.js versions 1.13.0-2 or 1.12.1 and later, which implement proper regex validation (bareIdentifier) for template variable parameters to prevent code injection attacks, or implementing immediate workarounds including strict input validation for all template settings and avoiding user-controlled variable options in template functions. Organizations should prioritize identifying all JavaScript applications using vulnerable Underscore.js versions with template functionality, audit template processing workflows for user input handling, implement comprehensive input validation and sanitization for template parameters, and maintain updated CVE database records to track similar code injection vulnerabilities that could compromise JavaScript application security through unsafe template processing and dynamic code generation attacks in templating systems.