VYPR
Medium severity6.5NVD Advisory· Published Mar 31, 2026· Updated Apr 7, 2026

CVE-2026-2950

CVE-2026-2950

Description

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lodashnpm
< 4.18.04.18.0
lodash-esnpm
< 4.18.04.18.0
lodash-amdnpm
< 4.18.04.18.0
lodash.unsetnpm
>= 4.0.0, < 4.18.04.18.0

Affected products

131

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.