GHSA-f23m-r3pf-42rh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f23m-r3pf-42rh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f23m-r3pf-42rh/GHSA-f23m-r3pf-42rh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f23m-r3pf-42rh
- Aliases
-
- CVE-2026-2950
- Downstream
- Related
- Published
- 2026-04-01T23:50:27Z
- Modified
- 2026-04-02T17:29:51.565211556Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
- Details
-
Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the
_.unsetand_.omitfunctions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such asObject.prototype,Number.prototype, andString.prototype.The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches
This issue is patched in 4.18.0.
Workarounds
None. Upgrade to the patched version.
- Database specific
{ "nvd_published_at": "2026-03-31T20:16:26Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2026-04-01T23:50:27Z" }- References
Affected packages
npm / lodash
Package
- Name
- lodash
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash
npm / lodash-es
Package
- Name
- lodash-es
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-es
npm / lodash-amd
Package
- Name
- lodash-amd
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-amd
npm / lodash.unset
Package
- Name
- lodash.unset
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash.unset