CVE-2026-2950

MEDIUM 6.5

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

CWE	CWE-1321
Vendor	lodash
Product	lodash
Published	Mar 31, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for lodash lodash

Be the first to know when new medium vulnerabilities affecting lodash lodash are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

lodash / lodash

4.17.23 < 4.18.0

lodash / lodash-es

4.17.23 < 4.18.0

lodash / lodash-amd

4.17.23 < 4.18.0

lodash / lodash.unset

4.0.0 < 4.18.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Credits

🔍 Haruna38 shpik-kr maru1009 ott3r07 zolbooo backuardo falsyvalues jonchurch jdalton UlisesGascon