lodash.template is a The Lodash method _.template exported as a Node.js module.
Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.
PoC
var _ = require('lodash');
_.template('', { variable: '){console.log(process.env)}; with(obj' })()