CVE-2026-2950

Summary

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

Affected Software

VendorProductVersion RangeStatus
lodashlodash4.17.23 < 4.18.0affected
lodashlodash4.18.0unaffected
lodashlodash-es4.17.23 < 4.18.0affected
lodashlodash-es4.18.0unaffected
lodashlodash-amd4.17.23 < 4.18.0affected
lodashlodash-amd4.18.0unaffected
lodashlodash.unset4.0.0 < 4.18.0affected
lodashlodash.unset4.18.0unaffected

Weaknesses

  • CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References