Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

INFO

Published Date :

2026-03-31T19:18:35.796Z

Last Modified :

2026-04-01T13:43:21.491Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-2950 vulnerability.

Vendors Products
Lodash
  • Lodash
  • Lodash-amd
  • Lodash-es
  • Lodash.unset
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2950.

URL Resource
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-2950 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-2950 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact