CVE-2026-2950

MEDIUM

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Title source: cna

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

References (1)

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 6.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (16)

lodash/lodash 4.0.0 - 4.17.23

lodash/lodash 4.17.23 - 4.18.0

lodash/lodash 4.18.0

lodash/lodash-amd 4.0.0 - 4.17.23

lodash/lodash-amd 4.17.23 - 4.18.0

lodash/lodash-amd 4.18.0

lodash/lodash-es 4.0.0 - 4.17.23

lodash/lodash-es 4.17.23 - 4.18.0

lodash/lodash-es 4.18.0

lodash/lodash.unset 4.0.0

... and 6 more

Published Mar 31, 2026

Tracked Since Apr 01, 2026