CVE-2026-2950
Description
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lodashnpm | < 4.18.0 | 4.18.0 |
lodash-esnpm | < 4.18.0 | 4.18.0 |
lodash-amdnpm | < 4.18.0 | 4.18.0 |
lodash.unsetnpm | >= 4.0.0, < 4.18.0 | 4.18.0 |
Affected products
4Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f23m-r3pf-42rhghsaADVISORY
- github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpgnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2950ghsaADVISORY
- github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rhghsaWEB
News mentions
0No linked articles in our index yet.