npm package
lodash-es
pkg:npm/lodash-es
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4800 | Hig | 8.1 | >= 4.0.0, < 4.18.0 | 4.18.0 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2026-2950 | Med | 6.5 | < 4.18.0 | 4.18.0 | Mar 31, 2026 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca | |
| CVE-2025-13465 | — | >= 4.0.0, < 4.17.23 | 4.17.23 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | ||
| CVE-2021-23337 | — | < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | ||
| CVE-2020-28500 | — | >= 4.0.0, < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | ||
| CVE-2020-8203 | — | >= 3.7.0, < 4.17.20 | 4.17.20 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||
| CVE-2019-10744 | — | < 4.17.14 | 4.17.14 | Jul 25, 2019 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | ||
| CVE-2019-1010266 | — | >= 4.7.0, < 4.17.11 | 4.17.11 | Jul 17, 2019 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix |
- affected >= 4.0.0, < 4.18.0fixed 4.18.0
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- affected < 4.18.0fixed 4.18.0
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
- CVE-2025-13465Jan 21, 2026affected >= 4.0.0, < 4.17.23fixed 4.17.23
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2021-23337Feb 15, 2021affected < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
- CVE-2020-28500Feb 15, 2021affected >= 4.0.0, < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
- CVE-2020-8203Jul 15, 2020affected >= 3.7.0, < 4.17.20fixed 4.17.20
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- CVE-2019-10744Jul 25, 2019affected < 4.17.14fixed 4.17.14
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
- CVE-2019-1010266Jul 17, 2019affected >= 4.7.0, < 4.17.11fixed 4.17.11
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix