CVE-2026-2950
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| lodash | lodash | 4.17.23 < 4.18.0 | affected |
| lodash | lodash | 4.18.0 | unaffected |
| lodash | lodash-es | 4.17.23 < 4.18.0 | affected |
| lodash | lodash-es | 4.18.0 | unaffected |
| lodash | lodash-amd | 4.17.23 < 4.18.0 | affected |
| lodash | lodash-amd | 4.18.0 | unaffected |
| lodash | lodash.unset | 4.0.0 < 4.18.0 | affected |
| lodash | lodash.unset | 4.18.0 | unaffected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.