CVE-2026-2950 | THREATINT

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

PUBLISHED Reserved 2026-02-21 | Published 2026-03-31 | Updated 2026-04-01 | Assigner openjs

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

Default status

unaffected

4.17.23 (semver) before 4.18.0

affected

4.18.0 (semver)

unaffected

Default status

unaffected

4.17.23 (semver) before 4.18.0

affected

4.18.0 (semver)

unaffected

Default status

unaffected

4.17.23 (semver) before 4.18.0

affected

4.18.0 (semver)

unaffected

Default status

unaffected

4.0.0 (semver) before 4.18.0

affected

4.18.0 (semver)

unaffected

Credits

Haruna38 reporter

shpik-kr finder

maru1009 finder

ott3r07 finder

zolbooo finder

backuardo finder

falsyvalues remediation developer

jonchurch remediation developer

jdalton analyst

UlisesGascon remediation reviewer

References

github.com/...lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

cve.org (CVE-2026-2950)

nvd.nist.gov (CVE-2026-2950)

Download JSON