CVEFinder.io

CVE-2026-2950

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prot

Description

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

CVSS Score
6.5
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-03-31
First Seen: 2026-04-01
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.9% of all 318,071 vulnerabilities in our database.

#165,874
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 1, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
YES
Can be exploited automatically
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Haruna38 (reporter) shpik-kr maru1009 ott3r07 zolbooo backuardo falsyvalues (remediation developer) jonchurch (remediation developer) jdalton (analyst) UlisesGascon (remediation reviewer)
SSVC data provided by CISA
Last Modified 2026-04-07
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE IDs (Weakness Types)
CWE-1321

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
lodash lodash Affected
> 4.0.0 < 4.17.23

πŸ”— References 1

https://github.com/lodash/lodash/security/advisories...
Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-4800 ⚠️ high 8.1 0.1 Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variabl... 2026-03-31
CVE-2025-13465 πŸ”Ά medium 5.3 0.0 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An at... 2026-01-21
CVE-2020-28500 πŸ”Ά medium 5.3 0.3 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim a... 2021-02-15
CVE-2021-23337 ⚠️ high 7.2 0.7 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. 2021-02-15
CVE-2020-8203 ⚠️ high 7.4 2.6 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. 2020-07-15
CVE-2019-10744 β›” critical 9.1 2.4 Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked ... 2019-07-26
These CVEs affect the same products