Description
Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Property Deletion
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to delete properties from built-in JavaScript prototypes by providing array-wrapped path segments to the lodash _.unset and _.omit functions. This prototype pollution can remove properties from Object.prototype, Number.prototype, and String.prototype, potentially altering the behavior of all objects and strings in the running application. Though it does not enable overwriting of those properties, the removal of standard behaviors can lead to unexpected errors or subtle logic failures, affecting the integrity of the application.

Affected Systems

The issue affects all official lodash distributions prior to version 4.18.0, including lodash, lodash-amd, lodash-es, and lodash.unset. Projects that depend on any of these NPM packages, especially those that use _.unset or _.omit on untrusted input, are vulnerable. The patch was released in lodash 4.18.0.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can provide crafted input to a code path that calls _.unset or _.omit, which is common in many template parsing or configuration handling modules. If exploited, an attacker could disrupt application logic by removing essential prototype properties.

Generated by OpenCVE AI on April 16, 2026 at 09:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade lodash to version 4.18.0 or later.
  • Audit code to ensure no usage of _.unset or _.omit on untrusted data.
  • Monitor for potential errors attributable to missing prototype properties.

Generated by OpenCVE AI on April 16, 2026 at 09:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
History

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lodash lodash-amd
Lodash lodash-es
CPEs cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:*
cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:*
cpe:2.3:a:lodash:lodash.unset:*:*:*:*:*:node.js:*:*
cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
Vendors & Products Lodash lodash-amd
Lodash lodash-es

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lodash
Lodash lodash
Lodash lodash.unset
Vendors & Products Lodash
Lodash lodash
Lodash lodash.unset

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Title lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Lodash Lodash Lodash-amd Lodash-es Lodash.unset
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-04-01T13:43:21.491Z

Reserved: 2026-02-21T20:04:35.087Z

Link: CVE-2026-2950

cve-icon Vulnrichment

Updated: 2026-04-01T13:43:18.193Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:26.207

Modified: 2026-04-07T16:12:25.970

Link: CVE-2026-2950

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T19:18:35Z

Links: CVE-2026-2950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses