Skip to content

@tryghost/tpl uses deprecated lodash.template with unpatched CVE-2021-23337 #730

Description

Summary

The @tryghost/tpl package depends on lodash.template@^4.5.0, which is deprecated and has an unpatched command injection vulnerability (CVE-2021-23337).

Affected Package Chain

gscan
  → @tryghost/validator
    → @tryghost/tpl@0.1.35 (latest)
      → lodash.template@4.5.0 (deprecated, no fix available)

Vulnerability Details

  • CVE: CVE-2021-23337
  • Severity: High
  • Type: Command Injection
  • Status: No patched version of lodash.template exists

Impact

Theme developers using gscan for validation receive Dependabot security alerts that cannot be resolved without upstream changes.

Suggested Fix

Consider migrating @tryghost/tpl to use an actively maintained templating library such as:

Workaround

Currently dismissing as "tolerable risk" since:

  • Only affects development dependencies
  • Template input is controlled (theme files, not user input)

Environment

  • gscan: 5.2.1
  • @tryghost/validator: 0.2.17
  • @tryghost/tpl: 0.1.35

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions