Skip to content

Resolved CVE-2026-4800, CVE-2026-27904, CVE-2026-33532, and CVE-2026-33672.#1509

Merged
AWSHurneyt merged 3 commits into
opensearch-project:2.8from
KashKondaka:fix/cve-2026-4800-2.8
May 6, 2026
Merged

Resolved CVE-2026-4800, CVE-2026-27904, CVE-2026-33532, and CVE-2026-33672.#1509
AWSHurneyt merged 3 commits into
opensearch-project:2.8from
KashKondaka:fix/cve-2026-4800-2.8

Conversation

@KashKondaka

@KashKondaka KashKondaka commented Apr 21, 2026

Copy link
Copy Markdown
Collaborator

Summary

Resolves CVE-2026-4800 (HIGH severity) by bumping lodash and lodash-es yarn resolutions to ^4.18.0 in package.json.

Details

The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Impact

An attacker can inject default-parameter expressions that execute arbitrary code at template compilation time via untrusted options.imports key names. Prototype pollution can also be exploited via assignInWith.

Fix

  • Bumped lodash and lodash-es resolutions to ^4.18.0 in package.json
  • Version 4.18.0 validates importsKeys against reForbiddenIdentifierChars and replaces assignInWith with assignWith

Test Plan

  • Verify lodash and lodash-es resolve to >=4.18.0 after yarn install
  • Verify no regressions in build or tests

AWSHurneyt
AWSHurneyt approved these changes May 5, 2026
View reviewed changes

@AWSHurneyt AWSHurneyt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow failures are unrelated to the dependency bump. Those failures will be fixed in separate PRs.

@KashKondaka @AWSHurneyt
Resolve CVE-2026-4800 by bumping lodash and lodash-es to ^4.18.0
10c9604 
Details:
The fix for CVE-2021-23337 added validation for the variable option in
_.template but did not apply the same validation to options.imports key
names. Both paths flow into the same Function() constructor sink. When
an application passes untrusted input as options.imports key names, an
attacker can inject default-parameter expressions that execute arbitrary
code at template compilation time. Additionally, _.template uses
assignInWith to merge imports, which enumerates inherited properties
via for..in. If Object.prototype has been polluted by any other vector,
the polluted keys are copied into the imports object and passed to
Function().

Impact:
When an application passes untrusted input as options.imports key names
to _.template, an attacker can inject default-parameter expressions
that execute arbitrary code at template compilation time. Additionally,
prototype pollution can be exploited via assignInWith to inject keys
into the Function() constructor.

Fix:
Bumped lodash and lodash-es resolutions to ^4.18.0 in package.json.
Version 4.18.0 validates importsKeys against reForbiddenIdentifierChars
and replaces assignInWith with assignWith when merging imports.

Signed-off-by: KashKondaka <37753523+KashKondaka@users.noreply.github.com>
@AWSHurneyt AWSHurneyt force-pushed the fix/cve-2026-4800-2.8 branch from c2d1375 to 10c9604 Compare May 6, 2026 00:23
AWSHurneyt added 2 commits May 6, 2026 10:26
@AWSHurneyt
Fixed CI workflows to use correct OSD branch.
5bdb2a3 
Signed-off-by: Thomas Hurney <hurneyt@amazon.com>
@AWSHurneyt
Consolidated CVE fixes: added minimatch, yaml, and picomatch resoluti…
3baf86e 
…ons.

Signed-off-by: Thomas Hurney <hurneyt@amazon.com>
@AWSHurneyt AWSHurneyt changed the title Resolve CVE-2026-4800 by bumping lodash and lodash-es to ^4.18.0 Resolved CVE-2026-4800, CVE-2026-27904, CVE-2026-33532, and CVE-2026-33672. May 6, 2026
@AWSHurneyt

AWSHurneyt commented May 6, 2026

Copy link
Copy Markdown
Collaborator

The unit test workflows are failing because of the brace-expansion@5.0.5 bump. This was needed to address CVE-2026-33750. That version is incompatible with node versions under Node 18; however, OpenSearch-Dashboards currently uses Node 16 for version branches 2.4-2.9. If another patch is released for those older versions, OSD will need to bump the version of node for compatibility.

@AWSHurneyt

AWSHurneyt commented May 6, 2026

Copy link
Copy Markdown
Collaborator

Consolidating changes from CVE PRs #1440, #1488, and #1464 into this PR.

@AWSHurneyt AWSHurneyt merged commit 5612cd7 into opensearch-project:2.8 May 6, 2026
3 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AWSHurneyt AWSHurneyt AWSHurneyt approved these changes
@vikhy-aws vikhy-aws vikhy-aws approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KashKondaka @AWSHurneyt @vikhy-aws