npm package
lodash
pkg:npm/lodash
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4800 | Hig | 8.1 | >= 4.0.0, < 4.18.0 | 4.18.0 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2026-2950 | Med | 6.5 | < 4.18.0 | 4.18.0 | Mar 31, 2026 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca | |
| CVE-2025-13465 | — | >= 4.0.0, < 4.17.23 | 4.17.23 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | ||
| CVE-2021-23337 | — | < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | ||
| CVE-2020-28500 | — | >= 4.0.0, < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | ||
| CVE-2020-8203 | — | >= 3.7.0, < 4.17.19 | 4.17.19 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||
| CVE-2019-10744 | — | < 4.17.12 | 4.17.12 | Jul 25, 2019 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | ||
| CVE-2019-1010266 | — | >= 4.7.0, < 4.17.11 | 4.17.11 | Jul 17, 2019 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix | ||
| CVE-2018-16487 | — | < 4.17.11 | 4.17.11 | Feb 1, 2019 | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. | ||
| CVE-2018-3721 | — | < 4.17.5 | 4.17.5 | Jun 7, 2018 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of a |
- affected >= 4.0.0, < 4.18.0fixed 4.18.0
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- affected < 4.18.0fixed 4.18.0
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
- CVE-2025-13465Jan 21, 2026affected >= 4.0.0, < 4.17.23fixed 4.17.23
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2021-23337Feb 15, 2021affected < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
- CVE-2020-28500Feb 15, 2021affected >= 4.0.0, < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
- CVE-2020-8203Jul 15, 2020affected >= 3.7.0, < 4.17.19fixed 4.17.19
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- CVE-2019-10744Jul 25, 2019affected < 4.17.12fixed 4.17.12
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
- CVE-2019-1010266Jul 17, 2019affected >= 4.7.0, < 4.17.11fixed 4.17.11
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix
- CVE-2018-16487Feb 1, 2019affected < 4.17.11fixed 4.17.11
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
- CVE-2018-3721Jun 7, 2018affected < 4.17.5fixed 4.17.5
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of a