GHSA-xxjr-mmjv-4gpg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-xxjr-mmjv-4gpg/GHSA-xxjr-mmjv-4gpg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xxjr-mmjv-4gpg
- Aliases
- Downstream
- Published
- 2026-01-21T23:01:22Z
- Modified
- 2026-01-21T23:26:19.035939Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P CVSS Calculator
- Summary
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
- Details
-
Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the
_.unsetand_.omitfunctions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.The issue permits deletion of properties but does not allow overwriting their original behavior.
Patches
This issue is patched on 4.17.23.
- Database specific
{ "cwe_ids": [ "CWE-1321" ], "severity": "MODERATE", "nvd_published_at": "2026-01-21T20:16:05Z", "github_reviewed": true, "github_reviewed_at": "2026-01-21T23:01:22Z" }- References
Affected packages
npm / lodash
Package
- Name
- lodash
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash
npm / lodash.unset
Package
- Name
- lodash.unset
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash.unset
npm / lodash-es
Package
- Name
- lodash-es
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-es
npm / lodash-amd
Package
- Name
- lodash-amd
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-amd