lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
RSS Feed
MODERATE
GHSA-f23m-r3pf-42rh
CVE-2026-2950
Description:
Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches
This issue is patched in 4.18.0.
Workarounds
None. Upgrade to the patched version.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
lodash.unset
|
>= 4.0.0, < 4.18.0 |
4.18.0
|
| npm |
lodash-amd
|
<= 4.17.23 |
4.18.0
|
| npm |
lodash-es
|
<= 4.17.23 |
4.18.0
|
| npm |
lodash
|
<= 4.17.23 |
4.18.0
|
Bump lodash from 4.17.21 to 4.18.1
Closed about 8 hours ago
Tina2010/myFlix-Client #9
npm:lodash
build(deps): bump the npm_and_yarn group across 1 directory with 10 updates
Open about 9 hours ago
gitroomhq/postiz-app #1536
npm:axios
npm:vite
+7 more
build(deps): bump the npm_and_yarn group across 1 directory with 7 updates
Closed about 13 hours ago
Milky-Way-Cookie/autograd-engine #12
npm:vite
npm:rollup
+5 more
chore(deps): bump lodash from 4.17.23 to 4.18.1
Open about 16 hours ago
bronsonacoutts/MyTemplates #29
npm:lodash
Bump the production-dependencies group with 4 updates
Closed about 16 hours ago
Sammons/certbot-cloudflare-wrapper #35
npm:express
npm:lodash
+2 more
chore(deps-dev): bump lodash from 4.17.23 to 4.18.1 in /html/themes/custom/common_design_subtheme
Closed about 16 hours ago
UN-OCHA/common-design-site #633
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Open about 17 hours ago
Mordi490/lineup-larry #39
npm:lodash
chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates
Open about 18 hours ago
drewjocham/arguskube #112
npm:vite
npm:lodash
Bump the npm_and_yarn group across 2 directories with 7 updates
Open about 18 hours ago
nilhemdot/openwolf #1
npm:vite
npm:lodash
+3 more
chore(deps): bump the npm_and_yarn group across 4 directories with 10 updates
Open about 21 hours ago
CHENY260/onyx #1
npm:vite
npm:next
+4 more
Bump the npm_and_yarn group across 1 directory with 9 updates
Open about 22 hours ago
Googleclaude/react-router-starter-template-1 #1
npm:react-router
npm:vite
+7 more
Bump lodash from 4.17.21 to 4.18.1
Open 1 day ago
DougMackenzie/power-insight #6
npm:lodash
Bump the npm_and_yarn group across 7 directories with 10 updates
Open 1 day ago
balajirajput96/onnxruntime #42
npm:follow-redirects
npm:lodash
+3 more
Bump the npm_and_yarn group across 1 directory with 5 updates
Open 1 day ago
advayc/sitemaker #11
npm:next
npm:postcss
+3 more
Bump lodash from 4.17.20 to 4.18.1 in /javascript
Open 1 day ago
fullerrc/dependabot-demo #6
npm:lodash
build(deps-dev): bump pa11y-ci from 3.1.0 to 4.1.1 in /tests/a11y
Open 1 day ago
saylordotorg/moodle-local_ai_course_assistant #15
npm:pa11y-ci
Bump lodash from 4.17.21 to 4.18.1
Open 2 days ago
gtibrett/effone-hub #26
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Closed 2 days ago
deflis/ranking.riel.live #66
npm:lodash
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR38446__20260516 #51
npm:lodash-es
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR36880__20260516 #60
npm:lodash-es
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR37038__20260516 #47
npm:lodash-es
Bump the npm_and_yarn group across 2 directories with 17 updates
Closed 2 days ago
ZAK123DSFDF/refearnapp #27
npm:axios
npm:next
+3 more
Bump lodash from 4.17.21 to 4.18.1
Closed 2 days ago
michal-cecko/sw-kysuce-web #3
npm:lodash
chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates
Closed 2 days ago
marceljk/pv_tracker #32
npm:vite
npm:serialize-javascript
+5 more
chore(deps): bump the npm_and_yarn group across 12 directories with 10 updates
Open 2 days ago
balajirajput96/openai-node #44
npm:axios
npm:lodash
+4 more
Bump lodash from 4.17.21 to 4.18.1 in /samples/tab-stage-view/nodejs
Closed 2 days ago
shaneslo/Microsoft-Teams-Samples #4
npm:lodash
Bump lodash from 4.17.15 to 4.18.1
Open 2 days ago
bhargava16623/dependabot-alternatives-test #10
npm:lodash
Bump the npm_and_yarn group across 1 directory with 7 updates
Open 2 days ago
OsoPanda1/utamv-elite-masterclass #6
npm:vite
npm:rollup
+5 more
Bump the npm_and_yarn group across 1 directory with 13 updates
Open 2 days ago
jamesbroadmore/carterscare-v2.1 #1
npm:react-router
npm:vite
+10 more
Bump lodash from 4.17.21 to 4.18.1
Open 3 days ago
shogo82148/rfc-translated-ja #127
npm:lodash
Bump the npm_and_yarn group across 16 directories with 21 updates
Open 3 days ago
AKJUS/todomvc #27
npm:postcss
npm:follow-redirects
+12 more
Bump lodash from 4.17.4 to 4.18.1
Closed 3 days ago
1995parham/react-canvas-gauges #7
npm:lodash
ci: bump the npm_and_yarn group across 2 directories with 5 updates
Open 3 days ago
jadenblack/coder #17
npm:yaml
npm:minimatch
+3 more
chore(deps): bump the npm_and_yarn group across 2 directories with 16 updates
Open 3 days ago
servrox-solutions/punktaro-app #6
npm:@babel/helpers
npm:cross-spawn
+12 more
chore(deps): Bump the npm_and_yarn group across 1 directory with 16 updates
Closed 3 days ago
robertcdawson/coronavirus-us-county-tracker #28
npm:axios
npm:yaml
+10 more
Bump the npm_and_yarn group across 1 directory with 17 updates
Closed 3 days ago
shsunmoonlee/CryptoCurrencyData #1
npm:axios
npm:express
+10 more
chore(deps): bump lodash-es from 4.17.21 to 4.18.1 in /docs
Closed 3 days ago
samber/lo #885
npm:lodash-es
chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates
Open 3 days ago
kinde-oss/js-utils #233
npm:postcss
npm:minimatch
+3 more
Bump lodash, grunt-legacy-log and grunt-legacy-util
Open 3 days ago
wp-media/imagify-plugin #1049
npm:grunt-legacy-util
npm:lodash, grunt-legacy-log
Bump lodash from 4.17.21 to 4.18.1
Open 3 days ago
d33naz/shesnotcrazybook #13
npm:lodash
Bump the npm_and_yarn group across 1 directory with 14 updates
Open 3 days ago
stupidkubik/kanban-board-app #10
npm:vite
npm:next
+12 more
Bump the npm_and_yarn group across 1 directory with 9 updates
Closed 3 days ago
stefanteitge/rc-cloud #21
npm:follow-redirects
npm:lodash
+7 more
chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates
Open 3 days ago
xiaomizhoubaobei/302_image_toolbox #25
npm:cross-spawn
npm:nanoid
+10 more
chore(deps): bump the npm_and_yarn group across 4 directories with 14 updates
Open 3 days ago
Dargon789/safe-apps-sdk #199
npm:lodash
npm:node-forge
+3 more
Bump lodash from 4.17.20 to 4.18.1 in /javascript
Closed 3 days ago
e5pe0n/demo #5
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Open 4 days ago
FlyteWizard/csc-seng-heat-outlines #37
npm:lodash
chore(deps): bump the npm_and_yarn group across 6 directories with 20 updates
Open 4 days ago
loveyou001/wizard #19
npm:axios
npm:follow-redirects
+5 more
Bump lodash-es from 4.17.23 to 4.18.1
Open 4 days ago
alveusgg/alveusgg #2094
npm:lodash-es
Bump the npm_and_yarn group across 12 directories with 6 updates
Closed 4 days ago
gagan0123/jetpack #19
npm:undici
npm:lodash
+2 more
chore(deps): bump lodash-es from 4.17.23 to 4.18.1
Open 4 days ago
rebekah-create/inbox-zero-rebekah #25
npm:lodash-es
Actions
Advisory Details
| Published: | April 01, 2026 about 2 months ago |
| Updated: | May 05, 2026 13 days ago |
| CVSS Score: | 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
| EPSS: | 0.03% 7th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS1mMjNtLXIzcGYtNDJyaM4ABUmV |
PR Statistics
PR Status
Open
2002 (53.7%)
Merged
0 (0.0%)
Closed
1724 (46.3%)
Update Types
Major
1335 (8.0%)
Minor
9084 (54.3%)
Patch
6134 (36.6%)