CVE-2026-2950
MEDIUM6.5EPSS 0.03%lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Description
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Affected packages (5)
- Debian/node-lodashfrom 0
- npm/lodashfrom 0, < 4.18.0
- npm/lodash-amdfrom 0, < 4.18.0
- npm/lodash-esfrom 0, < 4.18.0
- npm/lodash.unset>= 4.0.0, < 4.18.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2950
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-2950
- PATCHhttps://github.com/lodash/lodash
- WEBhttps://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
- WEBhttps://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg