CVE-2026-2950

State: PUBLISHED · Published: 2026-03-31 · Updated: 2026-04-01 · Assigner: openjs

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

CWE

CWE-1321 — CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected

lodash / lodash — v=4.17.23 <4.18.0 [affected]; v=4.18.0 [unaffected]
lodash / lodash-es — v=4.17.23 <4.18.0 [affected]; v=4.18.0 [unaffected]
lodash / lodash-amd — v=4.17.23 <4.18.0 [affected]; v=4.18.0 [unaffected]
lodash / lodash.unset — v=4.0.0 <4.18.0 [affected]; v=4.18.0 [unaffected]

CVSS

3.1 score=6.5 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Source

cvelistV5-main/cves/2026/2xxx/CVE-2026-2950.json