VYPR

Lodash

by Lodash

npm: lodash

Source repositories

CVEs (4)

  • CVE-2026-4800HigMar 31, 2026
    risk 0.46cvss 8.1epss 0.02

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an…

  • CVE-2026-2950MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker…

  • CVE-2025-13465MedJan 21, 2026
    risk 0.27cvss 5.3epss 0.02

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow…

  • CVE-2019-1010266Jul 17, 2019
    risk 0.00cvss epss 0.03

    lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The…