Security Vulnerability in @tawk.to/tawk-messenger-react: lodash.template Command Injection (CVE-2021-23337)

Community Discussion Bug Report
1

[size=150]Security Vulnerability in @tawk.to/tawk-messenger-react: lodash.template Command Injection (CVE-2021-23337)[/size]

Summary

I’ve identified a high-severity security vulnerability (CVE-2021-23337) in the @tawk.to/tawk-messenger-react package. The vulnerability originates from a transitive dependency on react-scripts@4.0.3, which includes the vulnerable lodash.template package.

Vulnerability Details

CVE ID: CVE-2021-23337
GHSA ID: GHSA-35jh-r3h4-6jhm
CVSS 3.1 Score: 7.2 (HIGH)
Severity: High
Issue Type: Command Injection

Description:
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. This vulnerability allows attackers to execute arbitrary code by passing malicious JavaScript in templates to the affected function, potentially resulting in Remote Code Execution.

Affected Package Path:

@tawk.to/tawk-messenger-react > react-scripts@4.0.3 > workbox-webpack-plugin > workbox-build > lodash.template@4.5.0

Current Status:

  • The lodash.template package has no patched version available (Patched versions: <0.0.0)
  • The package is deprecated and no longer maintained
  • The vulnerability cannot be fixed without updating the dependency chain

Impact

This vulnerability affects all applications using @tawk.to/tawk-messenger-react because:

  • The package depends on react-scripts@4.0.3, which is outdated
  • react-scripts@4.0.3 pulls in lodash.template@4.5.0 as a transitive dependency
  • There is no way for end users to patch this without replacing the entire package

Request

Could the Tawk.to team please:

  • Update the dependency chain to remove or replace react-scripts@4.0.3 with a more modern, secure alternative
  • Remove the dependency on lodash.template or ensure it’s updated to a secure version
  • Provide a timeline for when this security issue will be addressed

Workaround

Currently, the only workaround is to:

  • Remove @tawk.to/tawk-messenger-react and use an alternative chat widget, OR
  • Accept the security risk (not recommended for production applications)

Additional Context

I’ve already applied security patches to 34 other vulnerabilities in my project using pnpm overrides, but this particular vulnerability cannot be fixed without changes to the @tawk.to/tawk-messenger-react package itself.

References

  • nvd .nist.gov/vuln/detail/CVE-2021-23337
  • github .com/advisories/GHSA-35jh-r3h4-6jhm
  • snyk .io/vuln/SNYK-JS-LODASH-1040724

Package Version: @tawk.to/tawk-messenger-react@1.0.0
Node Version: 20.19.0
Package Manager: pnpm@10.14.0

Thank you for your attention to this security matter.